[Opinion] North Korean Hacking Group Uses COVID-19 as Bait for Cyber Attacks

Kim Nak-hyun, Lieutenant, Security Investigation Unit 1, Security Division, Jeonnam Provincial Police Agency

Recently, internet emails (E-mails) presumed to have been sent by a hacking group supported by North Korea have been attempting hacking by targeting an unspecified number of North Korean defectors using the COVID-19 virus as bait.

In particular, this attack is believed to use methods similar to those of the organizations suspected to be behind the hacking of Korea Hydro & Nuclear Power (KHNP) and NongHyup, which are supported by the North Korean regime. What is even more surprising is that it uses the globally prevalent COVID-19 pandemic issue to attract users' curiosity.

The fact that the target includes North Korean defectors who always long for the safety of their families left in North Korea, as well as personnel working in organizations related to North Korea who are curious about the scarce COVID-19 information in North Korea, marks a difference from previous cases.

Meanwhile, when users see an email with a subject that seems to provide information about the curious situation in North Korea and click on the attached COVID-19 North Korea file (COVID-19 and North Korea.docx) Word document or Hangul document, an APT (Advanced Persistent Threat) attack is unknowingly executed, spreading malicious files. Every time the computer is turned on, malicious macros continue to run, causing personal information such as passwords to be stolen without the user’s knowledge.

Moreover, the emails sent by these attackers impersonate unknown overseas Koreans from third countries such as Russia and China as the sender, and the IP addresses are routed through overseas servers in various countries to realistically make tracking impossible.

Therefore, if you receive an email targeting North Korean defectors or personnel related to North Korea that evades detection by security solutions and contains curiosity-provoking executable files attached in Hangul (hwp) or Word (docx) document formats, consider it a hacker’s attack to spread malware on your PC. Do not open it and delete it immediately. Regular security training by frontline police officers responsible for personal protection, including hacking email response drills, will raise awareness of hacking email threats. Only a little effort and attention among members can effectively prevent damage, making it the best defense measure.