On Wednesday, Google’s Threat Analysis Group (TAG) shed some light on cybersecurity attacks that targeted researchers. According to TAG, the North Korean government-backed the attacks as a new social engineering attack. Hackers who disguised themselves as a reputable cybersecurity firm carried out the attack.
The attackers behind the entire operation surfaced as a fake cybersecurity company called SecuriElite. Furthermore, the hackers created multiple social media accounts to assist in the attack. These actor-controlled profiles claimed to be vulnerability researchers and human resource personnel at different security firms. Other profiles claimed to be employees of SecuriElite. However, all eight Twitter profiles and seven LinkedIn profiles were suspended.
The goal of the attack was to steal undisclosed research from the researchers. In January 2021, Google’s Threat Analysis Group (TAG) discovered the presence of SecuriElite, complete with a research blog and several social media accounts for Twitter, LinkedIn, Discord, Keybase and Telegram.
TAG researcher Adam Weidermann said that the SecuriElite blog contained vulnerability analysis of several disclosed along with ‘guest’ posts from unaware security researchers. The hackers created the blog to establish SecuriElite as a credible company.
The goal of this Attack
Hackers used fake profiles to engage with researchers and to share videos of several fake exploits. The original fake blog contained links to all these fake social media posts. The actual motive for this attack remains unclear. However, it is believed that the hackers did this to gain the trust of several cybersecurity researchers so they could deploy a Windows backdoor attack in the form of a malware-laced Visual Studio project. The hackers wanted to steal unreleased research and claim it for themselves.
As a precaution, Google has added the SecuriElite website to its Safebrowsing blocklist services to prevent accidental visits.