Cyber spies suspected of working for the North Korean regime have broadened attacks against official and corporate targets in South Korea, at a time of raised attention on nuclear negotiations and as its economy suffers from international sanctions.

Early morning on Jan. 7, a group of reporters covering South Korea’s ministry in charge of relations with North Korea received a suspicious email carrying malicious code.

The malicious email was disguised as an invitation to a press conference to preview a second summit between the US President Donald Trump and North Korean leader Kim Jong-un, intended to lure journalists into opening the message. 

An information technology expert who analyzed the email said it may have originated from North Korea based on the names of the attached files and how it fits into a pattern of attacks.

It was one of a series of cyberattacks carried out by hacking groups linked to Pyongyang against Seoul’s institutions related to diplomacy, military and unification to steal highly classified intelligence.

“The hackers used one of the cyberattack techniques that state-backed agents utilize for spy missions,” Mun Chong-hyun, director of the security response center of ESTsecurity, told The Korea Herald.

Cybersecurity experts have been warning of the increasing sophistication of hackers from the North. North Korea’s estimated 7,000-strong cyber army of hackers perform a wide range of activities, including theft, denial of service and espionage.

Crowdstrike, a US cybersecurity firm, described North Korea as a growing threat in its 2019 global cyber threats report and suggested that the rise of “nation-state-linked ransomware” is a pressing concern.



Return of Kimsuky

The diplomatic situation appears to be a decisive factor for state-backed hacking groups’ activities.

Following the emergence of the hacking activities in recent months, Seoul-based cybersecurity company AhnLab published a report on March 5 that a cyberespionage campaign dubbed “Kimsuky” had resumed.

Kimsuky, which originated in North Korea, was first detected by foreign security experts in April 2013 when it targeted think tanks such as the Korea Institute for Defense Analyses and the Sejong Institute, as well as the Ministry of Unification.

The cyberattacks were waged six years ago amid heightened tensions on the Korean Peninsula after Pyongyang carried out its third nuclear tests and threatened attacks on neighboring countries.

This time, gathering and leveraging diplomacy-related information is critical for the isolated country to gain the upper hand in negotiations with the US and South Korea.

“Knowing what the opponent is holding in his hands will increase the chance of winning and it could encourage hackers to dig deeper into diplomatic data,” Mun said.

Since 2013, methods employed as part of Kimsuky have resurfaced in several high-profile hacks that cyber experts suspect were orchestrated by North Korea.

The security response center of ESTsecurity announced on March 18 that it detected attacks targeting those who work in North Korea-related fields.

The hacking group, which the center named “Geumseong121,” used the spear phishing method -- targeted cyber scams to lure users to malicious websites or to infect PCs via malicious attached files in order to access systems and sensitive data.

“Geumseong 121 is engaged in increasingly advanced intelligence activities against Korea’s foreign affairs, security, unification, defense, North Korean organizations and defectors,” it said.

The IT center said it strongly suspect that there is a relations between Geumseong 121 and Kimsuky as the two groups target similar groups.

Kimsuky was blamed for the December 2014 cyberattacks against South Korea’s Korea Hydro & Nuclear Power, which runs 23 nuclear reactors, following investigations into internet addresses used in the hacking.

“The malicious code used for the nuclear operator hacks were the same in composition and working methods as the so-called ‘Kimsuky’ that North Korean hackers use,” a statement from the Seoul central prosecutors’ office said.

The same type of malware that was used in the Kimsuky operation was found again in 2016, attacking officials at the Ministry of Foreign Affairs, Ministry of National Defense and Ministry of Unification.

“North Korea’s hacking ability is surprisingly powerful given the fact they hacked into the intranet of the Defense Ministry,” a cybersecurity expert said on condition of anonymity.



State-sponsored fundraisers for North Korean regime?

North Korea’s hacking groups are increasingly seeking money, shifting from its conventional role of stealing data, according to the AhnLab Security Emergency Response Center.

“It is believed that the groups are launching attacks for monetary profit as the economic situation worsens due to sanctions against North Korea,” it said in a report.

Kimsuky has deployed malicious software through a Microsoft Excel file on South Korea’s cryptocurrency and clothing companies, according to the AhnLab report. The report analyzed the hacks as having been conducted under the codename “Operation Kabar Cobra.” The company did not elaborate on financial losses caused by the attacks that occurred in January.

When bitcoin began surging to record highs in 2017, North Korea-linked hackers targeted cryptocurrency investors and exchanges.

The North Korean hacking group Lazarus reportedly reaped as much as $571 million by conducting 14 hacks on crypto exchanges between January 2017 and late 2018.

“When your hacking techniques get sharpened enough, you can find ways to make money online whether it’s a website of a bank or a crypto exchange,” ESTsecurity’s Mun said.

Experts and analysts also believe the North Korean regime was behind the $81 million cyber heist of the Bangladesh Central Bank in 2016, also conducted by North Korea’s Lazarus Group.

“Hacking seems to have become a useful tool for North Korea to make money and evade sanctions as its traditional way of obtaining foreign currency, such as counterfeit notes and weapon sales, have been blocked due to international restrictions,” a cybersecurity source said on condition of anonymity.


By Park Han-na (hnpark@heraldcorp.com)