A team of North Korean computer hackers used a fake website to hack other hackers, Google has revealed.
Google said the Pyongyang-backed hackers lured computer security researchers to a blog site about hacking using fake social media profiles and then used clandestine methods to infect their computers in order to extract information.
The search engine giant said the scheme, which involved hacking Windows and Google Chrome, was successful at times, but didn’t specify the kind of information that was compromised.
Experts say the attacks reflect North Korean efforts to improve its cyber skills and be able to breach widely used computer products, such as the Chrome internet browser and the Windows 10 operating system.
While the country has denied involvement, North Korea has been linked to major cyberattacks, including the WannaCry malware attack of 2017, which crippled the NHS computer system.
Google said it believes a team of Pyongyang-based hackers have posed as computer security bloggers and used fake social media accounts in attempts to steal information from researchers in the field
They have also been blamed for a 2013 campaign that paralyzed the servers of South Korean financial institutions and the 2014 hacking of Sony Pictures.
The UN Security Council in 2019 estimated North Korea earned as much as £1.45billion over several years through illicit cyber operations targeting cryptocurrency exchanges and other financial transactions, generating income that is harder to trace and offsets capital lost to US-led economic sanctions over its nuclear weapons program.
Adam Weidemann, a researcher from Google’s Threat Analysis Group, said in the online report published late Monday that hackers supposedly backed by North Korea created a fake research blog and multiple Twitter profiles to build credibility and interact with the security researchers they targeted.
After connecting with researchers, the hackers would ask them if they wanted to collaborate on cyber-vulnerability research and share a tool that contained a code designed to install malicious software on the targets’ computers, which would then allow the hackers to control the device and steal information from it.
Several targeted researchers were compromised after following a Twitter link to a blog set up by the hackers, Weidemann said.
‘At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,’ Weidemann wrote. ‘At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have.’
‘We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with,’ Weidemann added.
North Korea is believed to be behind the Wannacry ransomware virus, which crippled the NHS computer system in 2017
Google published a list of social media accounts and websites it said were controlled by the hackers, including 10 Twitter profiles and five LinkedIn profiles.
After the announcement, several researchers admitted they were targeted in the attacks.
Founder of security firm Hyperion Gray, Alejandro Caceres, said that he was hacked but that ‘no customer information was leaked’.
He said the hackers contacted him on Twitter and shared a file with him containing malware, which he opened. Caceres is offering $80,000 (£58,300) for information regarding the identities of the hackers.
Google said some people were hacked without opening malware-laden files. They had simply accessed a website controlled by the hackers.
The victims were using up-to-date Microsoft and Google browsers at the time, meaning the hackers may have had access to Windows and Chrome unknown vulnerabilities, which are commonly referred to as zero-days.
One of the sites, which has now been flagged by Google, is still online.
Simon Choi, a senior analyst at NSHC, a South Korean computer security firm, said cyberattacks linked to North Korea over the past few years have demonstrated an improving ability in identifying and exploiting vulnerabilities in computer security systems.
Before 2016, the North Koreans had mainly relied on methods used by Chinese or Russian hackers, he said.
‘It´s notable that the computer security experts on Twitter who said they were approached by the hackers had been engaged in vulnerability research for Chrome and Windows 10,’ Choi said.
‘It´s that not easy to successfully penetrate these systems that are built with the latest security technologies. For the North Koreans, it makes more sense to steal the vulnerabilities already discovered by the researchers because developing their own ways to exploit these systems is harder.’
In 2018, U.S. federal prosecutors charged a computer programmer working for the North Korean government for his alleged involvement in the cyberattacks that hacked Sony Pictures and unleashed the WannaCry ransomware virus.
Park Jin Hyok, who is believed to be in North Korea, conspired to conduct attacks that also stole $81 million from Bangladesh’s central bank, according to the charges.
The 2014 Sony hack led to the release of tens of thousands of confidential Sony emails and business files. The WannaCry cyberattack in 2017 scrambled data on hundreds of thousands of computers at government agencies, banks and other businesses across the globe and crippled parts of the NHS.