Twitter suspends two accounts used by DPRK hackers to catfish security researchers
Twitter has suspended today two accounts operated by North Korean government hackers and used as part of a clever plot to attract security researchers to malicious sites and infect their systems with malware.
The accounts —@lagal1990 and @shiftrows13— are part of a long-lived DPRK cyber-espionage campaign that began last year and specifically targets members of the cybersecurity community.
First exposed by the Google Threat Analysis Group in January this year, this campaign is still ongoing.
At the time, Google said that North Korean agents worked for months to create personas for fake security researchers on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, which they used to post infosec-related content, gain a reputation in the industry, and reach out to security researchers.
If victims responded, the DPRK hackers would ask researchers to work together on various projects and eventually lure them to sites hosting malicious JavaScript code that would infect their victims' computers with malware.
While unclear what happened after an infection took place, the general theory was that DPRK agents would gain access to the researchers' computers and search and steal non-public exploits or vulnerability write-ups, or spy on the researcher's employer— which could be security firms or governments agencies, classic targets of North Korean espionage.
Even if Google exposed this campaign in January, the attacks did not stop. In March, Google said it found new Twitter accounts part of this operation and even a fake cybersecurity company named SecuriElite that the North Korean hackers used as part of their catfishing attempts.
Since then, both Google TAG and the infosec community have been on the lookout for new accounts that may be linked to this operation.
Accounts had been active for months
Today, Adam Weidemann, an analyst with Google TAG, said that Twitter had suspended two new accounts part of this operation after another one was suspended in August.
We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year. In the case of lagal1990, they renamed a github account previously owned by another of their twitter profiles that was shutdown in Aug, mavillon1 pic.twitter.com/FXQ0w57tyE
— Adam (@digivector) October 15, 2021
Just like in the previous cases, the accounts posted cybersecurity-related content, such as proof-of-concept code for recently disclosed exploits, in the hopes of gaining a reputation in the infosec community.
None of the two accounts had more than 1,000 followers.
It is unclear if the two accounts had contacted other researchers or if they were still in the reputation-building phase.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.