One early January morning, security researcher Zuk Avraham got a nondescript direct message out of the blue on Twitter: “Hi.” It was from someone named Zhang Guo. The short, unsolicited messaged wasn’t too unusual; as the founder of both the threat-monitoring firm ZecOps and the antivirus firm Zimperium, Avraham gets a lot of random DMs.
Zhang claimed to be a web developer and bug hunter in his Twitter bio. His profile showed that he’d created his account last June and had 690 followers, perhaps a sign that the account was credible. Avraham responded with a simple hello later that night, and Zhang wrote back immediately: “Thanks for your reply. I have some questions?” He went on to express interest in Windows and Chrome vulnerabilities and to ask Avraham if he was himself a vulnerability researcher. That’s where Avraham let the conversation trail off. “I didn’t reply—I guess being busy saved me here,” he told WIRED.
Avraham wasn’t the only one who had this sort of conversation with the “Zhang Guo” Twitter account and its associated aliases, all of which are now suspended. Dozens of other security researchers—and possibly even more—in the United States, Europe, and China received similar messages in recent months. But as Google’s Threat Analysis Group revealed Monday, those messages weren’t from bug-hunting hobbyists at all. They were the work of hackers sent by the North Korean government, part of a sweeping campaign of social engineering attacks designed to compromise high-profile cybersecurity professionals and steal their research.
The attackers didn’t limit themselves to Twitter. They set up identities across Telegram, Keybase, LinkedIn, and Discord as well, messaging established security researchers about potential collaborations. They built out a legitimate-looking blog complete with the kind of vulnerability analyses you’d find from a real firm. They had found a flaw in Microsoft Windows, they’d say, or Chrome, depending on the expertise of their target. They needed help figuring out if it was exploitable.
It was all a front. Every exchange had a common goal: Get the victim to download malware masquerading as a research project, or click a link in a malware-laced blog post. Targeting security researchers was, as Google called it, a “novel social engineering method.”
“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems,” TAG researcher Adam Weidemann wrote. “To date, we have only seen these actors targeting Windows systems as a part of this campaign.”
The attackers primarily attempted to spread their malware by sharing Microsoft Visual Studio projects with targets. Visual Studio is a development tool for writing software; the attackers would send the exploit source code they claimed to be working on with malware as a stowaway. Once a victim downloaded and opened the tainted project, a malicious library would start communicating with the attackers’ command and control server.
The malicious blog link provided a different potential avenue for infection. With one click, targets unknowingly triggered an exploit that gave attackers remote access to their device. Victims reported that they were running current versions of Windows 10 and Chrome, which indicates the hackers may have used an unknown, or zero-day, Chrome exploit to gain access.
ZecOps’ Avraham says that while the hackers hadn’t fooled him in their brief DM chat, he did click on a link in one of the attackers’ blog posts that purported to show some research-related code. He did so from a dedicated and isolated Android device that he says doesn’t seem to have been compromised. But the focus of the bogus blog’s analysis raised red flags at the time. “I suspected once I saw the shellcode,” he says of the malware payload the attacker deployed in an attempted compromise. “It was a bit odd and cryptic.”