Researchers at Mandiant Security Solutions said they were able to uncover a wide range of cyberattacks behind which hackers working for the North Korean government used new technology and software to target researchers in the field of digital security, hoping to infiltrate the companies where victims work.
The campaign began in June 2020 with three new malware families: Touchmove, Sideshow, and Touchshift, according to the company.
The researchers suspect that the group, codenamed UNC2970, specifically targeted digital security researchers in the operation using LinkedIn accounts owned by fictitious HR employees. These accounts were carefully created to impersonate real people in order to deceive victims and increase the chances of success of the attack. After communicating with the victim via LinkedIn, the attackers attempted to forward the conversation to the WhatsApp application the victim was using to spread the malware.
Attackers spread Plankwalk malware through macros embedded in Microsoft Word documents. If the document is opened and the macro is allowed to run, the attacker's command and control server will download and run the malware. Attackers mainly rely on hacked websites using WordPress to spread their malware.
Once installed, the Plankwalk malware can install a variety of additional tools, including Microsoft Intune, a legitimate application used by attackers to gain access to the target company's servers.
"While the group previously targeted the defense, media and technology industries, targeting security researchers is seen as a shift in strategy or operational expansion," the company said.
Mandiant recommends companies implement a two-level verification system, create secure accounts to manage cloud services, create separate accounts for email and web browsing, and set up an administrator account dedicated to sensitive tasks to minimize potential harm from account takeovers. The company added that companies should take additional security measures, such as blocking macro programs on corporate networks and establishing more secure policies for accessing sensitive services.
The news comes amid mounting allegations that the North Korean government is involved in hacking attacks against the United States and other countries, a claim the North Korean government has denied.