Google recently published the results of their Threat Analysis Group’s study of North Korea cyberespionage targeting security researchers utilizing a fictitious company supported by fake LinkedIn and Twitter personas.
Google’s Threat Analysis Group published research centered around “SecuriElite” and its engagement on the LinkedIn and Twitter social networks. The modus operandi is very similar to that previously encountered in January 2021 when the Google team first discovered North Korea generated personas attempting to engage and compromise western security researchers by posing as peers with expertise in offensive cyber security and exploitation.
North Korea’s cover for action centered on SecuriElite, ostensibly a company located in Turkey. The totally fictitious company, created from whole cloth, professes to offer services in pentests, software security assessments, and exploits. The use of a link to a PGP public encryption key found on the bottom of the company’s site is one of the hooks used by the North Koreans to draw the target to a controlled website where a “browser exploit was waiting to be triggered.”
LinkedIn and Twitter Accounts from North Korea
The identified LinkedIn and Twitter accounts created and used by North Korea include:
North Korea LinkedIn Accounts
- SecuriElite – https://www.linkedin.com/company/securielite/
- Carter Edwards, HR Director @ Trend Macro – https://www.linkedin.com/in/carter-edwards-a99138204/
- Colton Perry, Security Researcher – https://www.linkedin.com/in/colton-perry-6a8059204/
- Evely Burton, Technical Recruiter @ Malwarebytes – https://www.linkedin.com/in/evely-burton-204b29207/
- Osman Demir, CEO @ SecuriElite – https://www.linkedin.com/in/osman-demir-307520209/
- Piper Webster, Security Researcher – https://www.linkedin.com/in/piper-webster-192676203/
- Sebastian Lazarescue, Security Researcher @ SecuriElite – https://www.linkedin.com/in/sebastian-lazarescue-456840209/
North Korea Twitter Accounts
- Alex Joe – https://twitter.com/alexjoe9983
- Ben Hemmings – https://twitter.com/BenH3mmings
- Julia – https://twitter.com/julia0235
- Chape – https://twitter.com/chape2002
- Osman Demir – https://twitter.com/osm4nd
- Sebastian Lazarescue – https://twitter.com/seb_lazar
- SecuriElite – https://twitter.com/securielite
North Korea Associated Websites
- bestwing[.]org
- codebiogblog[.]com
- coldpacific[.]com
- cutesaucepuppy[.]com
- devguardmap[.]org
- hireproplus[.]com
- hotelboard[.]org
- mediterraneanroom[.]org
- redeastbay[.]com
- regclassboard[.]com
- securielite[.]com
- spotchannel02[.]com
- wileprefgurad[.]net
[NB: None of the above links to social networks or websites should be visited and are provided for information security and counterintelligence purposes.]
Take away for FSOs
A review of the personas created for this foray highlights the concerted effort to create disarming, yet credible, personas with no connection whatsoever to North Korea. Briefed personnel should be reminded to report any anomalous activities which are encountered from individuals known or unknown to them.
FSOs will be well served to ensure the aforementioned names, links and modus operandi are provided to their information security teams and included in the counterintelligence briefings provided to personnel to ensure any engagement is identified and immediately remediated.
In essence, North Korea is going to school on China’s successful utilization of LinkedIn and is creating a similar playbook designed to identify and vet targets of interest using information which the target has themselves published. The North Korea espionage effort utilizing the very public social networks of LinkedIn and Twitter can be expected to continue.
