Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Incident & Breach Response

Twitter Suspends North Korean Threat Actor Accounts

Google TAG: Threat Group DPRK Targeted Security Researchers
Twitter Suspends North Korean Threat Actor Accounts
Twitter suspends accounts of N Koreans targeting security researchers (Image: ISMG screenshot )

Social media platform Twitter has suspended two accounts that were being used by members of the DPRK, a North Korean government-backed threat group, according to Adam Weidemann, an analyst with the Google Threat Analysis Group.

See Also: OnDemand | Password Management: Securing Hybrid Work for the Long Haul

The accounts, operating under @lagal1990 and @shiftrows13, targeted researchers around the globe with malicious intent security, according to Weidemann.

Weidemann reports that independent researchers Francisco Alonso and Javier Marcos identified the threat actors and shared the information with Google's Threat Analysis Group or TAG, which confirmed the findings.

"We [Google TAG] confirmed these [threat actor accounts] are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shut down in Aug, mavillon1," Weidemann adds.

Campaign Timeline

In a Jan. 25, 2021 security blog, Google TAG informed users of an ongoing campaign, attributed to "a government-backed entity based in North Korea," targeting security researchers.

At the time, the Google TAG researchers noted that the bad actors created several Twitter profiles to pose as security researchers to interact with potential targets. The threat actors built trust and directed their targets to malicious links and web pages. They also leveraged other social media channels such as LinkedIn, Keybase and Telegram to approach security researchers, according to the Google TAG.

The threat actors also hosted a blog (blog.br0vvnn[.]io), which comprised analysis and description of publicly disclosed vulnerabilities. They also frequently tweeted links to posts on the blog from fake social media profiles to give their impersonation tactics an air of legitimacy, the researchers say. The blog was also used to load malware in the systems of security researchers who visited the link, they add.

The campaign followed a simple tactic. "After establishing initial communications, the actors ask the targeted researchers if they want to collaborate on a vulnerability research together, and then provide the researcher with a Visual Studio Project," says the Google TAG blog. This project contains an extra DLL file that the TAG researchers attribute to the hidden malware. "The DLL is custom malware that would immediately begin communicating with actor-controlled C2 [command and control] domains," the researchers say.

The TAG researchers were, however, unsure about the vulnerability exploited by the malware to load itself on the victim's computer. They encouraged researchers to find the Chrome vulnerability and report any exploitations in the wild via the Chrome vulnerability reward program.

Despite being identified by the Google TAG team in January, the campaign did not cease to exist. In March 2021, the researchers discovered yet another fake website, registered under a hoax company banner called SecuriElite. The company, supposedly based in Turkey, claimed to offer offensive security services such as pentesting, software security assessments and exploits.

Although the researchers did not find any malicious content on the SecuriElite website, they added it to Google's blacklisting service Safebrowsing since it was hosted by the same North Korean threat actor.

Earlier Suspensions

The latest suspension of fake Twitter accounts is not the first in the campaign. Researchers Francisco Alonso and Javier Marcos in May flagged two other fake accounts - @fdh0mu and @m7research - to the researchers at the Google TAG team, who analyzed the claim before reporting it to Twitter. The social media platform suspended the accounts in August 2021, according to Alonso.


About the Author

Mihir Bagwe

Mihir Bagwe

Senior Correspondent, Global News Desk

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.