North Korean Cyberattacks Target South Korean Policy ExpertsOut of 900 Targeted, 49 Victims Confirm Falling for Kimsuky APT Phishing Attacks
A North Korean state-sponsored APT group targeted nearly 900 foreign policy experts from South Korea to steal their personal information and carry out ransomware attacks.
The South Korean National Police Agency in a press conference on Sunday said the attackers used a phishing campaign to trick the victims into exposing their personal data.
The targeted individuals mainly had backgrounds in diplomacy, defense and security and were working toward Korean unification. At least 49 recipients fell for the phishing tricks, police said.
Attribution and Campaign
Police attribute the latest campaign to the North Korean advanced persistent threat actor Kimsuky - the same group that it suspects hacked the Korea Hydro and Nuclear Power in 2014. This APT is historically known to target think tanks and journalists around the globe.
Kimsuky, a state-sponsored APT also known as Thallium, Black Banshee and Velvet Chollima, has been active since 2012. North Korea allegedly leverages the APT to collect intelligence on foreign policy and national security issues related to the Korean Peninsula, and espionage has been its primary motive until now. The police said this is the first time they have observed the use of ransomware malware and a subsequent ransom demand in exchange for unencrypted data.
Approximately 19 servers operated by 13 companies were hit with a ransomware variant, and two of these companies paid a ransom of 2.5 million won (US$1,980) worth of bitcoin to the group, according to the Korean police agency.
The U.S. government warned in 2020 that Kimsuky also had been active in the United States and Japan.
In the latest campaign, the threat actor sent spear-phishing emails from multiple accounts impersonating authoritative figures in the country, police say. Among those targeted were a reporter associated with the 20th Presidential Transition Committee in April, a secretary from the office of Tae Yong-ho of the ruling People Power Party in May and an official from the Korean National Diplomatic Academy in October.
All emails included a link to a fake website or an attachment carrying malware. To avoid being traced, threat actors used IP addresses from hacked servers. The attackers took over 326 servers across 26 countries, 87 of which belonged to organizations within Korea.
Outlook for State-Backed Hacking in 2023
In 2021, cybersecurity researchers at Proofpoint observed a considerable uptick in the cyberespionage operations of Kimsuky APT. The group targeted diplomats and policy experts across Asia, the U.K. and the U.S. (see: North Korean APT Group Steps Up Espionage Ops in 2021).
In 2022, an Android malware developed by the APT group emerged to target South Korean users by disguising the malicious apps as legitimate ones, including a Google security plug-in and a document viewer (see: North Korea Disguising Android Malware as Legitimate Apps).
Police expect these North Korean hacker activities to continue in the future and urged citizens to secure their email accounts and other critical infrastructure.
In a press conference on Dec. 22, the National Intelligence Service also predicted that North Korea's cyber offensive will continue next year. Forecasting potential threats to the country’s cybersecurity in 2023, Baek Jong-wook, deputy director of the NIS, said that state-backed hackers from North Korea and China will continue their attacks on South Korea to steal intellectual property.
The South Korean sectors of nuclear industry, space, semiconductors, national defense and joint strategies with the U.S. are likely on the radar, the NIS executive said.
South Korea has faced an average of 1.18 million attempted cyberattacks every day in November from hackers across the world. Jong-wook said North Korean hackers are known to infiltrate virtual assets such as digital coins as well as cryptocurrencies. He assumes they have stolen nearly US$1.72 billion in cryptocurrency around the world since 2017.
Blockchain security firm SlowMist this week revealed that North Korean attackers are using phishing websites to impersonate popular non-fungible token platforms and decentralized finance marketplaces to steal digital assets worth thousands of dollars (see: North Korean Hackers Steal NFTs via Phishing Websites).
To counter these attacks, the NIS on Dec. 22 introduced a new National Cyber Security Cooperation Center that combines the professional security capabilities of private cybersecurity companies and government departments to help deflect future cyberattacks aimed at South Korea.