In January this year researchers from Google’s Threat Analysis Group (TAG), a security team specialized in identifying and countering government-backed hacking, have uncovered several campaigns that were targeting cybersecurity researchers from different companies.
“Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations,” Threat Analysis Group’s Adam Weidemann said in a blog post. “The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers.”
Security researchers were targeted with malware
The first ones to discover the previously unknown Internet Explorer (IE) vulnerability were the security researchers at the South Korean security company ENKI. The company was also among the ones targeted by the attack whose aim was to exploit said zero-day vulnerability and gain access to the cybersecurity researchers’ data. Enki then informed Microsoft of the findings.
And on Tuesday, Microsoft has finally patched the IE vulnerability, labeled as CVE-2021-26411, and rated critical because of how easy it was to exploit. Thus, CVE-2021-26411 was particularly dangerous because it required only a low-complexity attack code in order to be exploited by a North Korean state-sponsored hacking group that managed to break into the workstations of cybersecurity researchers from around the world. Furthermore, the vulnerability allowed an attacker to deceive a consumer into visiting a malicious website hosted on Web Explorer and also affected Microsoft’s newer and safer browser, the Chromium-based Edge.
Meet the villain of the story
The culprits are reportedly part of what Microsoft calls Zinc, a cybercrime group that is thought to be a North Korean “state-sponsored hacking organization” by the United States Federal Bureau of Investigation (FBI). Zinc is known by agencies and cybersecurity firms by other names such as Lazarus Group, Guardians of Peace, Whois Team, or Hidden Cobra. The group has been active since at least 2009 and was reportedly responsible for the November 2014 confidential data leak from the film studio Sony Pictures Entertainment.
The May 2017 WannaCry ransomware attack that targeted computers running the Microsoft Windows operating system, as well as the late 2020 attacks on several pharmaceutical companies that involved Lazarus Group members posing as health officials and contacting different pharmaceutical company employees with malicious links. This included British-owned AstraZeneca and others involved in COVID-19 vaccine research.