North Korean-linked hackers have set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers with malware, according to Google research published Wednesday.
Hackers have leveraged at least two fake accounts on LinkedIn that impersonate recruiters appearing to be from antivirus software and security companies, Google said. One of the recruiters, supposedly named “Carter Edwards,” works at a company allegedly named “Trend Macro,” which someone quickly searching for a new information security job may confuse with the legitimate security firm Trend Micro.
The campaign also relies on a smattering of Twitter accounts.
The fake Turkey-based company, which the hackers call “SecuriElite,” claims to be based in Turkey and focused on offensive security, penetration tests, software security assessments and exploits, according to Google.
The hackers set up the apparent company in March, Google said. The Twitter account that appears to be linked with the fake company has only tweeted once and has one follower as of press time.
It’s not the first time these suspected North Korean hackers have established a fake website and social media accounts meant to compel other security researchers into purported collaboration, only to trick them into downloading malware.
Google previously exposed an earlier iteration of the campaign, which boasted a seemingly legitimate security blog and opportunities for targets to research a vulnerability with the blog owners.
In that case, even interested targets who just clicked to see the blog were infected, even if they had patched and up-to-date Windows 10 and Chrome browser versions, Google said.
The revelation that the hackers have set up a new arm of the campaign in recent days, however, suggests they don’t appear to be deterred after their prior exposure.
Although Google has said the hackers are linked with a government-backed entity, they do not name the specific group of attackers.
The hackers have not appeared to target any researchers with malware using the SecuriElite part of the campaign yet, Google said. But the website offers a link to their PGP public key, a link the previous version of the campaign provided in order to distribute a browser exploit, according to Google.
The previous campaign, which did target victims with malware, leveraged accounts on Twitter, LinkedIn, Telegram Discord and Keybase, and also sent potential victims emails.
Google said it had contacted LinkedIn and Twitter for possible takedown efforts targeting the latest social media accounts the team has unearthed. Both social media platforms removed the accounts.
“Our terms prohibit the use of LinkedIn for any criminal activity, and we actively seek out signs of state-sponsored activity and quickly take action against bad actors on the platform,” a LinkedIn spokesperson told CyberScoop.
“All of the accounts you referenced were permanently suspended for violating the Twitter Rules. If we can reliably attribute any activity to state-backed actors, we will disclose accounts and associated content to our archive of information operations,” a Twitter spokesperson said.
Some North Korean hackers posed as job recruiters in 2016 and 2017 in an effort to break into the computer systems at Lockheed Martin, according to the Department of Justice.
More recently, hackers linked with North Korea’s government known as Lazarus Group targeted people working Israel’s defense sector with fake job offers last year as a part of a broader espionage campaign, according to Israel’s Ministry of Defense. North Korean hackers have also recently targeted employees at aerospace and defense firms with malicious Microsoft Word documents, according to McAfee researchers.
Update, 3/31/2021: This article has been updated to include LinkedIn’s and Twitter’s comments.