A North Korean government-backed hacking group has set up a new website for a fake company called “SecuriElite” to target security researchers, Google’s Threat Analysis Group has warned.
The new website claims the company is an offensive security firm located in Turkey that offers pentests, software security assessments and exploits.
This new campaign comes after Google’s Threat Analysis Group in January documented a hacking campaign by the same North Korean entity targeting security researchers working on vulnerability research and development at different companies and organizations.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with the potential targets.
Elegant Themes - The most popular WordPress theme in the world and the ultimate WordPress Page Builder. Get a 30-day money-back guarantee. Get it for Free
They have used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Talking about the new campaign, Google said that the new website, like previous websites set up by this actor, has a link to their PGP (which can be used to send messages confidentially) public key at the bottom of the page.
In January, the targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered.
“The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security,” Adam Weidemann of Google’s Threat Analysis Group said in a blog post on Wednesday.
“On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Weidemann said.
Google said that it has not yet observed the new attacker website serve malicious content, but it has added it to “Google Safebrowsing” as a precaution.