Twitter accounts linked to cyberattacks against security researchers suspended

North Korean hackers are luring professionals with "zero-day vulnerability hype."

Twitter has suspended accounts belonging to a North Korean hacking group targeting security researchers. 

The social media accounts, @lagal1990 and @shiftrows13, were suspended this month after "posing as security researchers," according to Google Threat Analysis Group (TAG) analyst Adam Weidermann, who added that the profiles "leaned on the hype of 0-days to gain followers and build credibility."

As noted by Threatpost, another account, @lagal1990, was closed for the same reason in August.

The campaign, believed to be the work of state-sponsored North Korean cyberattackers, has been tracked by the Google TAG team over the past year. 

First documented in January 2021, the campaign includes the creation of a network of fake profiles across platforms including Twitter, LinkedIn, Keybase, and GitHub. 

The fake profiles are riding on interest in exploits and zero-day bugs to establish an aura of credibility and will post content such as proof-of-concept (PoC) code and exploit techniques. 

According to Weidermann, the fake accounts were found by researchers Francisco Alonso and Javier Marcos.

"We (TAG) confirmed these are directly related to the cluster of accounts we blogged about earlier this year," Weidermann commented. "In the case of @lagal1990, they renamed a GitHub account previously owned by another of their Twitter profiles that was shut down in Aug, @mavillon1."

The cluster of accounts is used to reach out to their intended targets, including well-known and credible security researchers. A research blog, too, was published online, and videos have been uploaded online claiming to be proof of exploits and bugs.

"They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control," Google TAG says. 

However, once communication has been established, the North Korean group then asks their targets if they are interested in collaborating on security research. 

Links are then sent to researchers to a blog that contains browser exploits including an Internet Explorer zero-day unmasked in January. Alternatively, they may also be sent a malicious Visual Studio project file containing a backdoor, granting the attackers entry into their victim's machine -- and the information contained therein. 

In March, the group created a fake Turkish offensive security company called SecuriElite, with a batch of profiles linked to this firm pretending to be made up of cybersecurity researchers and recruiters. 

Last week, Google TAG documented efforts to counter attacks from APT35, an Iranian group specializing in phishing campaigns against high-risk users of Google, including campaign staffers during the 2020 US election. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0