Earlier this week, Google’s Threat Analysis Group published a warning that North Korea (DPRK) is targeting security researchers who are working on vulnerability research and development. Google’s purpose is straightforward, “remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”
Which is a long way around to saying targeting is occurring and the DPRK action elements are reaching out and touching you via social networks, email, and various apps. The modus operandi identified by Google is explained in the report using an operational example involving the use of fictitious Twitter profiles. The gaggle of accounts would re-tweet the content of one another and bolster their following in their quest for legitimacy in the eyes of the casual observer. The accounts shared links to information which may be of interest to a security researcher – be it a blog or video.
Their use of social engineering techniques is not surprising and their targeting crossed multiple platforms to include: Twitter, LinkedIn, Telegram, Discord, Keybase, and email.
Nota Bene: Security Researchers and Clearance Holders
This is not the first time targeting of security researchers or cleared personnel has occurred and certainly won’t be the last.
In October 2017, Cisco Talos published their report which revealed the Russia Federation was targeting security researchers within the U.S. and NATO cyber security footprint. In this instance, the attackers created a fictitious, yet plausible, document on a collaborative effort between the U.S. Military Academy and NATO as their hook to compromise recipient’s computers/network.
In November 2016, then Federal CISO, General Gregory Touhill admonished the cyber security professionals within the Federal space that they needed to become a hardened target. He explained the need to heighten cyber risk awareness so as to help the workforce become “hard targets.”
Similarly, June 2019, the FBI’s Office of Private Sector issued a Liaison Information Report explicitly warning the private sector that foreign intelligence services continue to target corporate and the federal work force, with emphasis on those holding national security clearances via social media platforms. Similar warnings were issued by France in 2018, by the United Kingdom in 2015.
You are the target
The message to the cybersecurity workforce is as solid today in January 2021 as it was in November 2016: you are the target.
As we often say, the adversary chooses the target, the target chooses how they wish to respond when they find themselves in the cross hairs.
FSO’s should avail themselves to the list of the threat actors provided by Google in their report for sharing with their personnel as a prophylactic measure. They should also ensure all personnel, not just those with cybersecurity chops, are prepared with guidance on how to react when approached by an unfamiliar entity or person, be it in person or virtually via social networks.