In January, Google and Microsoft revealed what they believe were North Korean government-sponsored hackers targeting security researchers. The hackers spent weeks using fake Twitter profiles, which allegedly belonged to vulnerability researchers, before unleashing an Internet Explorer zero-day and a malicious Visual Studio project, both of which installed custom malware.
Now the same hackers are back, a Google researcher said Wednesday, this time with a new set of social media profiles and a bogus company claiming to offer offensive security services, including penetration testing, software security assessments and software exploits.
One more time with feeling
The fake company homepage is sleek and looks no different from countless real security companies around the world:
The hackers also created more than a dozen new social media profiles that claimed to belong to security company recruiters, security researchers and several employees of SecuriElite, the fake security company. The work put into creating the profiles was quite impressive.
Trolling to the next level
My favorite is this Twitter profile of @seb_lazarwhich supposedly corresponds to Sebastian Lazarescue, one of the fake researchers who works for the fake SecuriElite:
Security people all know that Lazarus is the name used to identify hackers backed by the North Korean government. Developing detailed Twitter and LinkedIn profiles for a researcher at your fake security company, calling him Sebastian Lazarescue, and getting him to retweet many top security researchers — some who work for Google — is next level trolling.
Adam Weidemann, a researcher with Google’s Threat Analysis Group, warns that the hackers’ past success in luring researchers to websites hosting an IE zero-day means the group should be taken seriously.
“Based on their activity, we continue to believe that these actors are dangerous and likely have more 0 days,” he wrote.