Google released a warning on an ongoing attack targeting cybersecurity researchers. The tech giant believes that this attack is connected to government-backed hackers in North Korea.
A Google blog post was published by Adam Weidemann, a researcher from Google’s Threat Analysis Group. He reported that the hackers built a fake research blog to establish credibility, associated with multiple Twitter accounts to interact with the security researchers. The hackers are attempting to steal data from the security researchers working at various companies and organizations.
Weidenmann wrote in the post, “In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server.”
Aside from Twitter, the hackers also communicated with the target security researcher through several online platforms, such as Telegram, LinkedIn, Keybase, Discord, and email. During the time of data breach attacks, the systems used by the researchers are updated versions of Google’s Chrome browser and Microsoft’s Windows 10.
Weidenmann added that the mechanism of compromise has not yet been verified at the moment. He said that they accept reports and information from other people who might know anything related to the issue. Google advises anyone to report using the Chrome VRP submission process if they come across Chrome vulnerability activity.
Also, Google recommended the researchers who presume they are one of the targets of hacking to “compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”
Here are some of the controlled sites and accounts according to Google:
Research Blog: https://blog.br0vvnn[.]io
Twitter Accounts: https://twitter.com/BrownSec3Labs; https://twitter.com/br0vvnn
Telegram: https://t.me/james50d
LinkedIn Accounts: https://www.linkedin.com/in/guo-zhang-b152721bb/; https://www.linkedin.com/in/billy-brown-a6678b1b8/
Keybase: https://keybase.io/zhangguo
People can check the complete list of websites and social media accounts that were believed to be managed by the hackers on the Google blog.
North Korea has refuted the allegation mentioned in the report regarding its association with the hackers. However, some reports in the past had linked the country to major cyberattacks targeting governments, organizations, businesses, etc. Example cases are the Sony Pictures hacking incident in 2014 and the WannaCry malware attack in 2017.
Due to this cyberattack, Google reminded everyone to stay vigilant and examine their systems for signs of a breach.
