A North Korean hacking group known to have targeted security researchers in the past has now upped its game through the creation of a fake offensive security firm.
The threat actors, believed to be state-sponsored and backed by North Korea’s ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021.
Google TAG, specialists in tracking advanced persistent threat (APT) groups, said at the time that the North Korean cyberattackers had established a web of fake profiles across social media, including Twitter, Keybase, and LinkedIn.
“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.”
When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cybersecurity research — before sending them a malicious Visual Studio project containing a backdoor. Alternatively, they may ask researchers to visit a blog laden with malicious code including browser exploits.
In an update posted on March 31, TAG’s Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company, complete with new social media profiles and a branded website.
The fake company, dubbed “SecuriElite,” was set up on March 17 as securielite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits.
A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy.
In addition, the SecuriElite ‘team’ has been furnished with a fresh set of fake social media profiles. The threat actors are posing as fellow security researchers, recruiters for cybersecurity firms, and in one case, the HR director of “Trend Macro” — not to be confused with the legitimate company Trend Micro.
Google’s team linked the North Korean group with the usage of Internet Explorer zero-day back in January. The company believes that it is likely they have access to more exploits and will continue to use them in the future against legitimate security researchers.
“We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google says. “At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0