How do security researchers get hacked?

One of the toughest targets for sophisticated cyber attackers is the security research community itself, those directly responsible for helping protect us all from hacking. And yet, just last week we got to see the methods of a successful, professional and detailed attack in progress today.

In a fascinating blog post from Adam Weidermann of Google’s Threat Analysis Group we can see the details of how a state-sponsored hacking group goes after security researchers — arguably one of the hardest demographics to compromise.

The security teams at Google have a fun tradition. Each time someone departs the team (whether to another Google team or leaving the company) they are given a special parting gift: a knife, with their password engraved onto it.

image source

Yes, their Google corporate password. The one they keep most secret and safe of all. Not willingly divulged, but hacked. Hacked by their own team.

The gifts vary in shape and size, often lovingly crafted and customized to the recipient. And each shows both the creativity and ingenuity of the team. When you need to trick a security expert, you have to be thinking WAY outside the box. That results in each ‘gift’ uncovering new exploits, new tricks or new ways to fool the folks who should be hardest to fool. Bugs get filed, processes improved, security evolves. Stories of these efforts involve clever cameras, fake laptops, keyboard replacements and more.

Even those hardest to fool can be fooled.

Google’s Threat Analysis Group published exactly how experts are being tricked today. In summary, the attackers went through these steps:

1. Set up fake personas, across Twitter, LinkedIn, Telegram, etc.
2. Published blog posts and security write-ups (some faked) by these people.
3. Invited real researchers to ‘collaborate’ on a project.
4. Sent collaborators a Visual Studio Project with custom malware.
   OR
   Embedded malware in fake blogs that researchers visit.
5. Established beaconing with command & control domains.

This attack shows sophistication, focus, depth and probably a few unknown vulnerabilities being exploited. Take care of yourselves out there, read through the post to see if you might have been affected, and remember to partition your research activities from your personal browsing.