Twitter suspends two accounts used by DPRK hackers to catfish security researchers
Image: The Record
Catalin Cimpanu October 15, 2021

Twitter suspends two accounts used by DPRK hackers to catfish security researchers

Twitter suspends two accounts used by DPRK hackers to catfish security researchers

  • Twitter has suspended today two accounts operated by North Korean government hackers.
  • The accounts were used to lure security researchers to malicious sites to infect them with malware.
  • The accounts are part of a long-lived cyber-espionage operation targeting the infosec community that began last year.

Twitter has suspended today two accounts operated by North Korean government hackers and used as part of a clever plot to attract security researchers to malicious sites and infect their systems with malware.

The accounts —@lagal1990 and @shiftrows13— are part of a long-lived DPRK cyber-espionage campaign that began last year and specifically targets members of the cybersecurity community.

First exposed by the Google Threat Analysis Group in January this year, this campaign is still ongoing.

At the time, Google said that North Korean agents worked for months to create personas for fake security researchers on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, which they used to post infosec-related content, gain a reputation in the industry, and reach out to security researchers.

If victims responded, the DPRK hackers would ask researchers to work together on various projects and eventually lure them to sites hosting malicious JavaScript code that would infect their victims’ computers with malware.

While unclear what happened after an infection took place, the general theory was that DPRK agents would gain access to the researchers’ computers and search and steal non-public exploits or vulnerability write-ups, or spy on the researcher’s employer— which could be security firms or governments agencies, classic targets of North Korean espionage.

Even if Google exposed this campaign in January, the attacks did not stop. In March, Google said it found new Twitter accounts part of this operation and even a fake cybersecurity company named SecuriElite that the North Korean hackers used as part of their catfishing attempts.

Since then, both Google TAG and the infosec community have been on the lookout for new accounts that may be linked to this operation.

Accounts had been active for months

Today, Adam Weidemann, an analyst with Google TAG, said that Twitter had suspended two new accounts part of this operation after another one was suspended in August.

Just like in the previous cases, the accounts posted cybersecurity-related content, such as proof-of-concept code for recently disclosed exploits, in the hopes of gaining a reputation in the infosec community.

None of the two accounts had more than 1,000 followers.

It is unclear if the two accounts had contacted other researchers or if they were still in the reputation-building phase.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.