Two malicious accounts used by threat actors in a seemingly North Korean cyber-espionage campaign were suspended by Twitter. The accounts under discussion are @lagal1990 and @shiftrows13 working as bait for security researchers with the final goal to make them download malware.
The ones who initially discovered this campaign that is still developing were the TAG experts (Google Threat Analysis Group) back in January.
Detailing the Campaign That Used Malicious Accounts
Adam Weidermann, a Google TAG analyst, shared details on the campaign when the January analysis was published. According to his report, the hackers built up a research blog and the Twitter accounts represented basically their method to spread different links, like, for instance, links directing to their blog posts.
The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from