One early January morning, security researcher Zuk Avraham got a nondescript direct message out of the blue on Twitter: “Hi.” It was from someone named Zhang Guo. The short, unsolicited messaged wasn't too unusual; as the founder of both the threat-monitoring firm ZecOps and the antivirus firm Zimperium, Avraham gets a lot of random DMs.
Zhang claimed to be a web developer and bug hunter in his Twitter bio. His profile showed that he'd created his account last June and had 690 followers, perhaps a sign that the account was credible. Avraham responded with a simple hello later that night, and Zhang wrote back immediately: “Thanks for your reply. I have some questions?” He went on to express interest in Windows and Chrome vulnerabilities and to ask Avraham if he was himself a vulnerability researcher. That’s where Avraham let the conversation trail off. “I didn’t reply—I guess being busy saved me here,” he told WIRED.
Avraham wasn’t the only one who had this sort of conversation with the “Zhang Guo” Twitter account and its associated aliases, all of which are now suspended. Dozens of other security researchers—and possibly even more—in the United States, Europe, and China received similar messages in recent months. But as Google's Threat Analysis Group revealed Monday, those messages weren't from bug-hunting hobbyists at all. They were the work of hackers sent by the North Korean government, part of a sweeping campaign of social engineering attacks designed to compromise high-profile cybersecurity professionals and steal their research.
The attackers didn't limit themselves to Twitter. They set up identities across Telegram, Keybase, LinkedIn, and Discord as well, messaging established security researchers about potential collaborations. They built out a legitimate-looking blog complete with the kind of vulnerability analyses you'd find from a real firm. They had found a flaw in Microsoft Windows, they'd say, or Chrome, depending on the expertise of their target. They needed help figuring out if it was exploitable.
It was all a front. Every exchange had a common goal: Get the victim to download malware masquerading as a research project, or click a link in a malware-laced blog post. Targeting security researchers was, as Google called it, a “novel social engineering method."
“If you have communicated with any of these accounts or visited the actors’ blog, we suggest you review your systems,” TAG researcher Adam Weidemann wrote. “To date, we have only seen these actors targeting Windows systems as a part of this campaign.”
The attackers primarily attempted to spread their malware by sharing Microsoft Visual Studio projects with targets. Visual Studio is a development tool for writing software; the attackers would send the exploit source code they claimed to be working on with malware as a stowaway. Once a victim downloaded and opened the tainted project, a malicious library would start communicating with the attackers' command and control server.
The malicious blog link provided a different potential avenue for infection. With one click, targets unknowingly triggered an exploit that gave attackers remote access to their device. Victims reported that they were running current versions of Windows 10 and Chrome, which indicates the hackers may have used an unknown, or zero-day, Chrome exploit to gain access.
ZecOps’ Avraham says that while the hackers hadn't fooled him in their brief DM chat, he did click on a link in one of the attackers' blog posts that purported to show some research-related code. He did so from a dedicated and isolated Android device that he says doesn't seem to have been compromised. But the focus of the bogus blog's analysis raised red flags at the time. “I suspected once I saw the shellcode,” he says of the malware payload the attacker deployed in an attempted compromise. “It was a bit odd and cryptic."
After Google published its blog post, numerous researchers realized that they had been targeted by the campaign and shared examples of their own interactions with the attackers. Some even admitted that they had clicked a bad link or downloaded a Visual Studio project. Most said, though, that they had taken precautions like poking around using a "virtual machine," or simulated computer within a computer—a standard practice for security researchers who evaluate a lot of sketchy links and files as a matter of course and need to ensure that none of those monsters escape the lab.
It's unclear, though, how many targets the attackers successfully breached. While the campaign was targeted, it also had relatively broad appeal. To make the blog look legitimate, for example, the attackers spun up a YouTube video that purported to give a walkthrough of how an exploit worked. And one of the attackers' blog links got a decent number of upvotes on a popular infosec subreddit.
Researchers say that targeting security professionals en masse was notably brazen and unique, but that otherwise the campaign wasn't technically exceptional. It was surprising, though, to see hackers risk exposing a Chrome zero day vulnerability for the campaign. And as Warren Mercer, technical lead of the threat intelligence group Cisco Talos, noted in a blog post, the attackers had a solid grasp of the English language and made contact during their targets' normal working hours.
The approach was clever also in how it preyed on dynamics within the security community. Collaboration is an important tool in security research and defense; if everyone did their work in isolation it would be nearly impossible to see the bigger picture of attack trends and hacker activities worldwide. Many researchers fear that the campaign, and any copycats, could have an outsize chilling effect on this necessary component of their work.
In addition to Google's attribution to North Korea, Kaspersky Labs researcher Costin Raiu tweeted on Monday that one of the tools used in the attack is typically used by the notorious North Korean hacking gang Lazarus Group. ZecOps' Avraham and others have emphasized, though, that unless Google shares more details about how it came to its attribution, the public evidence remains thin.
The attackers targeted NSA hacker Dave Aitel as well, albeit unsuccessfully. “I am not worthy. But I appreciate you thinking of me. I'm not at your level,” he joked when the Zhang Guo account suggested they work on a sensitive Windows exploit together. Still, Aitel says that lessons from the campaign need to be learned sooner than later, at all levels.
“Where is the United States government in all this?” he says. “Not just detecting, but responding and communicating.”
Most researchers say that they already take precautions that protected them from this campaign, or would have had they been targeted. But the incident is certainly a reminder to maintain vigilance and trust, but verify.
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- 2034, Part I: Peril in the South China Sea
- My quest to survive quarantine—in heated clothes
- How law enforcement gets around your phone's encryption
- AI-powered text from this program could fool the government
- The ongoing collapse of the world's aquifers
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
