A North Korean hacking group that was targeted to security researchers in the past has now given up its game through the creation of a fake aggressive security firm.
Dangerous actors were considered state-sponsored and supported by the ruling party of North Korea Previously documented By Google’s Threat Analysis Group (TAG) in January 2021.
Google TAG, an expert on tracking advanced persistent threat (APT) groups, said at the time that North Korean cyberbatters had set up a web of fake profiles across social media, including Twitter, Keybase and LinkedIn.
“To build credibility and connect with security researchers, actors set up a research blog and several Twitter profiles to interact with potential targets,” Google said. “They have used their Twitter links to post links to their blogs, post videos of their claimed adventures, and to post and retweet the accounts they control.”
When the group members reach their goal, they ask if their intended victim wanted to collaborate on cyberspace research – before sending them a malicious Visual Studio project. Alternatively, they may ask researchers to visit a blog with malicious code, including browser exploits.
In an update Posted on 31 March, Adam Weidman of TAG, said that the state-sponsored group has now changed strategy by creating a fake aggressive security company with new social media profiles and a branded website.
The bogus company, dubbed the “SecuriElite”, was founded on March 17 as SecularLight[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments and exploits.
A PGP public key link has been added to the website. While inclusion of PGP is standard practice as an alternative to secure communication, the group has used these links in the past as a means to target their targets to a page where a browser-based exploit is deployed. Waiting for
In addition, the SecuriElite ‘team’ has been equipped with a new set of fake social media profiles. Threatening actors are presenting fellow security researchers, recruiters for cyber security firms and in one case, human resources directors of “trend macros” – not to be confused with the legitimate company Trend Micro.
Google’s team linked the North Korean group with the use of Internet Explorer back in January. The company believes that it is likely that they have access to more exploits and will continue to use them in the future against legitimate security researchers.
“We have reported all social media profiles on platforms to allow them to take appropriate action,” Google says. “At this time, we have not seen the new attacker website serving malicious content, but we have added it to Google Safebrowsing as a precaution.”