North Korea suspected of hacking campaign against South Korea

Cyber attacks on South Korean institutions appear to hail from Northern neighbour, claims anti-virus firm.

An active campaign of espionage against South Korean research institutions is being waged by North Korea, according to an investigation by Kaspersky.

The IT security firm said the North, in a campaign named Kimsuky, is targeting think tanks in the country as well as two Chinese organisations.

The malicious samples we found are the early stage malware most often delivered by spear-phishing emails.

A total of eleven organisations have been the focus of attacks. They include the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and the Supporters of Korean Unification, a non-government organisation.

"Partly because this campaign is very limited and highly targeted, we have not yet been able to identify how this malware is being distributed," said Dmitry Tarakanov, a lab expert at Kaspersky. "The malicious samples we found are the early stage malware most often delivered by spear-phishing emails."

The malware carries out keystroke logging, directory listing collection, remote control access and HWP document theft (related to the South Korean word processing application from the Hancom Office bundle, extensively used by the local government). The malware also only disables security tools from Korean security firm AhnLab, which is very popular in South Korea.

The dedicated programme within the malware designed for stealing HWP documents heavily suggest the acquisition of these documents is one of main objectives of the group.

Clues left by the malware point to the North Korean origin of the attackers, Kaspersky said. The profiles of the victims - South Korean universities conducting research on international affairs and producing defense policies for government, a national shipping company, and support groups for Korean unification - "speak for themselves", the firm said. Another clue was in the compilation path used by the malware that contained Korean characters.

"One might easily suspect that the attackers might be from North Korea," said Tarakanov. "The targets almost perfectly fall into their sphere of interest. On the other hand, it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin."

Tarakanov said the malware was "a somewhat unsophisticated spy program that communicated with its master' via a public email server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020