hankyoreh

(Getty Images Bank)

A North Korean hacking organization impersonated South Korean reporters, a National Assembly member’s office, and a public institution to send phishing emails to hundreds of foreign affairs and national security experts, it has been learned.

On Sunday, the cyber investigation bureau of the National Police Agency presented findings concluding that numerous fraudulent emails appeared to have been sent by “Kimsuky,” a hacker group affiliated with North Korea’s Reconnaissance General Bureau.

The emails in question included messages purportedly from a reporter covering the presidential transition committee on April 28, a secretary in the office of National Assembly member Thae Yong-ho on May 7, and the Korean National Diplomatic Academy on Oct. 26.

According to the police’s investigation, the hackers used 326 servers in 26 countries (87 of them in South Korea) to launder IP addresses and send emails impersonating reporters, National Assembly members, and other sources to at least 892 South Korean experts on foreign affairs, unification, national security and defense issues.

The emails had malicious programs attached or directed the readers to a phishing site where information could be extracted from their computer. Forty-nine experts to date were confirmed to have entered their ID and password information on the phishing site, which accurately mimicked a page on Naver or Google.

The hacking organization reportedly observed the receipt and transmission of messages in real time as members intercepted attached documents and address books.

But according to police, most of the victims were university professors or non-government researchers, and no researchers with state institutions were identified among them.

Police concluded that the incidents were the work of Kimsuky after comparing them with the methods used in a 2014 hacking incident at Korea Hydro & Nuclear Power and a 2016 incident involving Office of National Security impersonation emails.

As bases for their conclusion, they pointed to common aspects including the IP addresses where the attack originated, the overseas site membership information, the methods used for entering and managing intermediate sites, and the characteristics of the malicious programs.

Other factors that pointed to Kimsuky as the culprit were the fact that the crimes targeted foreign affairs experts and evidence of the use of specifically North Korean terms — such as “wakjjin” instead of “baeksin” to mean “vaccine” — in internet searches on a computer used as an IP intermediary.

Kimsuky was previously identified as the group responsible for orchestrating hacking attacks on the Korea Atomic Energy Research Institute in 2021 and a pharmaceutical company in 2020.

The police also found that the same hacking organization had infected 19 servers at 13 South Korean companies with ransomware and was demanding money to restore them. Two of the companies had each paid 1.3 million won (US$1,020) in bitcoins to the group, the police added.

After notifying the victims and their companies of the situation, police collaborated with the Korea Internet & Security Agency and a vaccine company to shut down the phishing site. They also provided the institutions in question with information about the intrusion methods and tools used by North Korean hackers.

“People need to be rigorous about managing their accounts, including regularly changing their email passwords and setting up two-factor authentication while blocking connections from other countries,” urged Lee Gyu-bong, head of the National Police Agency’s cyberterrorism investigation team.

By Lee Woo-yun, staff reporter

Please direct questions or comments to [english@hani.co.kr]