A North Korean hacking group allegedly disguised itself as a Chinese investor on a social media platform, employing this guise to lure victims into engaging with phishing attacks.
According to the blockchain security firm SlowMist, the Lazarus group allegedly crafted a fraudulent account on LinkedIn named “Nevil Bolson.” Purporting to be an investor and entrepreneur, the user represented himself as a founding partner at the Chinese venture capital firm “Fenbushi Capital.” The imposter replicated the legitimate profile of a Fenbushi Capital partner, making minor alterations to the description section and even using an identical profile photo to enhance its appearance of legitimacy.
SlowMist’s Chief Information Security Officer emphasized that LinkedIn served as a crucial tool for the North Korean hacking group to orchestrate phishing attacks against their targets. In an email statement dated April 30, the CISO highlighted that the hackers leveraged the bogus profile to discreetly engage their victims in conversation, often by discussing investment opportunities. Once they captured the users’ interest, the hackers arranged online meetings where unsuspecting targets were duped into downloading malicious code.
On April 24, the CISO additionally revealed details about the Lazarus group’s maneuvers on the business-oriented online platform. Through their account, dubbed X, the CISO disclosed that the North Korean hacking group targeted human resources personnel via LinkedIn, posing as job seekers skilled in coding. The malicious actors shared code samples to showcase their proficiency and encouraged their victims to execute them. Through this tactic, the CISO remarked, they aimed to “acquire employee privileges or assets through malware.”
The South Korean intelligence agency has sounded the alarm regarding the North Korean hacking group’s social engineering attack. In collaboration with their counterpart, the Federal Office for the Protection of the Constitution (BfV) of Germany, they issued a joint security advisory last February. “We believe that the Lazarus group has been employing social engineering tactics to infiltrate the defense industry since mid-2020,” stated the National Intelligence Service (NIS) in a press release.
As per the NIS report, the Lazarus group adopted the guise of recruiters on social media platforms like LinkedIn, specifically targeting individuals within the defense industry. Their strategy centered on building trust with potential victims. Under the pretext of offering career advice or consultation, the hackers directed their targets to alternative platforms like Telegram, where they were persuaded to download malicious code. “We believe that the Lazarus group has been utilizing social engineering tactics to infiltrate the defense industry since mid-2020,” the NIS emphasized.