North Korean cyber attacks target South Korean political experts
Cyber warfare / nation state attacks, fraud management and cybercrime
Out of 900 targeted, 49 victims confirm to have fallen for Kimsuky APT phishing attacks
Mihir Bagwe (MihirBagwe) •
28 December 2022
A North Korean state-backed APT group targeted nearly 900 foreign policy experts from South Korea to steal their personal information and conduct ransomware attacks.
South Korea’s National Police Agency said at a press conference on Sunday that the attackers used a phishing campaign to trick victims into revealing their personal data.
The targeted individuals mainly had backgrounds in diplomacy, defense and security and worked against Korean unification. At least 49 recipients fell for the phishing tricks, police said.
Attribution and promotion
Police attribute the latest campaign to the North Korean advanced persistent threat actor Kimsuky – the same group they suspect hacked Korea Hydro and Nuclear Power in 2014. This APT is historically known for targeting think tanks and journalists around the world.
Kimsuky, a state-sponsored APT also known as Thallium, Black Banshee, and Velvet Chollima, has been active since 2012. North Korea allegedly exploits APT to gather intelligence on foreign policy and national security issues related to the Korean Peninsula, and espionage has been conducted. his primary motive until now. Police said this is the first time they have observed the use of ransomware and a subsequent demand for ransom in exchange for unencrypted data.
About 19 servers operated by 13 companies were hit by a ransomware variant, and two of those companies paid a ransom of 2.5 million won (US$1,980) in bitcoin to the group, according to the Korean National Police Agency.
The US government warned in 2020 that Kimsuky had also been active in the US and Japan.
In the latest campaign, the threat actor sent spear-phishing emails from several accounts pretending to be authoritative figures in the country, police say. Among those targeted were a reporter attached to the 20th presidential transition committee in April, a secretary from the office of Tae Yong-ho of the ruling People Power Party in May and an official from the Korean National Diplomatic Academy in October.
All emails included a link to a fake website or a malware attachment. To avoid being tracked, threat actors used IP addresses from hacked servers. The attackers took over 326 servers in 26 countries, of which 87 belonged to organizations in Korea.
Outlook for state-sponsored hacking in 2023
In 2021, cybersecurity researchers at Proofpoint observed a significant increase in the cyberespionage activities of the Kimsuky APT. The group targeted diplomats and political experts across Asia, the UK and the US (see: The North Korean APT Group is stepping up espionage operations in 2021).
In 2022, an Android malware developed by the APT group emerged to target South Korean users by disguising the malicious apps as legitimate, including a Google security plugin and a document viewer (see: North Korea disguises Android malware as legitimate apps).
Police expect these North Korean hacking activities to continue in the future and urged citizens to secure their email accounts and other critical infrastructure.
In a press conference on December 22, the National Intelligence Service also predicted that North Korea’s cyber offensive will continue next year. Baek Jong-wook, deputy director of the NIS, predicts potential threats to the country’s cybersecurity in 2023, saying state-backed hackers from North Korea and China will continue their attacks on South Korea to steal intellectual property.
The South Korean sectors of nuclear industry, aerospace, semiconductors, national defense and joint strategies with the US are likely to be on the radar, the NIS chief said.
South Korea has been subject to an average of 1.18 million attempted cyber attacks every day in November from hackers around the world. Jong-wook said North Korean hackers are known to infiltrate virtual assets such as digital coins as well as cryptocurrencies. He estimates that they have stolen nearly $1.72 billion in cryptocurrency around the world since 2017.
Blockchain security firm SlowMist revealed this week that North Korean attackers are using phishing websites to impersonate popular non-fungible token platforms and decentralized financial marketplaces to steal thousands of dollars worth of digital assets (see: North Korean hackers steal NFTs via phishing websites).
To counter these attacks, the NIS on December 22 introduced a new National Cyber Security Cooperation Center that combines the professional security capabilities of private cyber security companies and government departments to help deflect future cyber attacks targeting South Korea.