Posing as Portal Emails... North Korean Hackers Targeting Untact Gaps

North Korean hacker (Image=Getty Images Bank)

[Asia Economy Reporter Jin-gyu Lee] North Korean hacking groups' cyberattacks are becoming increasingly sophisticated. The attack methods are diversifying, including disguising emails as those sent by domestic portals or cloud service providers. As the COVID-19 pandemic prolongs and the non-face-to-face (untact) culture spreads, North Korean hacking groups are exploiting these gaps.

According to the security industry on the 12th, cyberattacks by the North Korean hacking group known as 'Thallium' have recently surged. Thallium is a hacking group internationally recognized after Microsoft (hereafter MS) officially filed a lawsuit with the Virginia federal court in December 2019. Last month, MS requested a default judgment as the Thallium defendants did not appear in court, and several summonses were sent to the email addresses they used. Thallium is focusing attacks on domestic defense contractors, researchers in North Korea-related fields, North Korean defectors, and journalists covering North Korea.

Thallium is known to have a strong connection with the 'Kimsuky organization,' famous for the 2014 hacking attack on Korea Hydro & Nuclear Power. East Security analyzed that the email accounts used by Thallium included domestic service addresses, used Bitcoin-related keywords as IDs, and were closely linked to malware previously reported in Korea.

Recently, signs of phishing email attacks disguised as emails from Naver Customer Center, a domestic portal, have been detected. Thallium impersonated an email notification claiming that Naver's security service feature, 'New Device Login Alert,' had been disabled. The email content included guidance that the new device login alert feature was disabled and needed to be reset, urging recipients to click the 'Set New Device Login Alert' button. Clicking this button opens a window requesting the user to enter their account password for security purposes. If the user inputs their account information, it is transferred to the hacking group.

Last month, a cyberattack impersonating Samsung Cloud services was also revealed. Thallium used a method of sending malicious emails disguised as those sent by Samsung Cloud services. They sent an email titled 'Samsung Cloud Gallery Usage Confirmation Notice,' and when opened, it appeared as an official Samsung Cloud email with logos and customer support phone numbers. The email fabricated content suggesting 'there is an unknown service usage record on the victim's account' and encouraged clicking a 'Frequently Asked Questions' link. Clicking this link redirected to a malicious URL.

The email interface used by Thallium was identical in design to actual customer center notification emails used by companies, making it difficult for victims to recognize the hacking email. The security industry advises special caution as various tactics such as 'dormant notification emails' and 'old cookie information in email accounts' are alternately used, with continuous updates to design and content. Moon Jong-hyun, director of East Security, urged, "To minimize exposure to threats from North Korean hacking groups, carefully check the sender's email and verify whether the internet URL of the login-prompting website is the official site."

Cyberattacks by North Korean hacking groups stealing information from specific domestic PCs via email, as in the Thallium case, are ongoing. It is known that North Korean hacking groups are enhancing their cyberattack skills through state-level training and education. Earlier this year, a spear-phishing attack disguised as a seminar presentation document by Moon Jung-in, the President's Special Advisor on Unification, Diplomacy, and Security, was discovered stealing information from specific PCs. The Kimsuky group was identified as the culprit behind this cyberattack. In December last year, a malicious file disguised as a Blue House event estimate was confirmed, and cyberattacks disguised as North Korean defector support organizations were also found. All these cyberattacks were backed by North Korean hacking groups. Malicious files impersonating payroll statements are also frequently found in cyberattacks by North Korean hackers.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.