Threat Analysis Group (TAG) reports that a nation state sponsored, a/k/a APT (advanced persistent threat) campaign has been targeting security researchers working on vulnerability research across multiple industries. The goal of this campaign appears to be intellectual property theft.
To date, only actors targeting Windows systems have been observed. Social engineering tactics include:
- Establishing a research blog and multiple Twitter accounts to interact with researchers.
-
- The blog contained:
- posts from unwitting legitimate contributors
- videos of exploits (most likely faked)
- write-ups and analysis of publicly disclosed vulnerabilities.
- The blog contained:
- After establishing initial communications with a targeted researcher, a suggestion to collaborate on vulnerability research was made.
- The malicious actor then provided a Visual Studio Project with source code for exploiting the vulnerability and custom malware.
There are also instances of researchers being compromised after visiting a malicious blog via a Twitter link. Victims in these cases were running fully patched Windows systems and Chrome browser versions.
At this time, the mechanism of compromise remains undetermined, but GOIS is adding all of the IOCs (indicators of compromise) noted in TAG’s above-referenced report to our security tools.