Joint Operation by South Korean Intelligence Agencies... Warning on North Korea's Kim Su-ki New Tactics
Exploiting Google Services... Sophisticated Approaches in Attack Methods
The National Intelligence Service (NIS) has revealed new cyberattack methods used by North Korea's representative hacking group, 'Kimsuky.' They exploit legitimate functions of widely used 'Google services' to install malicious programs or hacking apps on victims' electronic devices and then steal information.
On the 20th, the NIS announced that it had jointly prepared a cybersecurity advisory warning about the risks of Kimsuky's sophisticated new cyberattacks in cooperation with the German Federal Office for the Protection of the Constitution (BfV, hereafter referred to as the BfV). This is the second joint advisory the NIS has prepared with overseas intelligence agencies, following the United States last month. Previously, on the 10th of last month, the NIS had issued a joint advisory together with the U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI).
North Korean hacking group
Kimsuky, linked to North Korea's Reconnaissance General Bureau, is one of North Korea's leading hacking groups alongside Lazarus. It is known for cryptocurrency hacking to fund nuclear and missile development, as well as spear-phishing attacks targeting defense contractors to steal information related to weapons of mass destruction (WMD) development. Besides the name Kimsuky, the group is also referred to as 'Thallium,' 'Velvet,' or 'Cheollima.'
The NIS and the BfV noted that Kimsuky's attack methods have recently become more sophisticated, including exploiting popular 'Google services.' The representative attack methods disclosed by the Korean and German intelligence agencies include ▲Google Mail theft and ▲abuse of Google Play synchronization, characterized by the exploitation of legitimate functions normally provided by Google without any disguise.
First, Google Mail theft involves abusing extensions of the 'Chromium browser.' Chromium is an open-source web browser project developed by Google, and well-known browsers such as Google Chrome, Microsoft Edge, and Naver Whale are based on Chromium. According to the NIS, hackers send spear-phishing emails containing malicious links to victims and induce the installation of malicious extensions that operate within the browser. If the victim installs this extension, the hacker can steal the victim's email contents in real time without requiring separate login credentials.
Additionally, a newly discovered hacking technique exploits the 'Google Play synchronization' feature to install malicious apps on smartphones. The hacker begins the attack by logging into the victim's Google account on a PC using credentials stolen through phishing emails or other means. Once logged in, the Google Play synchronization feature activates, and without any further action from the victim, malicious apps are automatically installed on the smartphone. These apps are registered by the hacker on Google Play as test apps and synchronized with the victim's account. Once installed, the apps allow the hacker to steal data stored on the victim's smartphone without any defense.
An NIS official stated, "Most recent attacks by Kimsuky, linked to North Korea's Reconnaissance General Bureau, are carried out through spear-phishing," and urged, "Users should learn how to identify malicious emails and follow precautions when receiving suspicious emails." Detailed information on the joint advisory, specific prevention methods, and technical indicators of compromise (IoC) can be found on the websites of the NIS or the National Cyber Security Center.
Furthermore, the NIS emphasized the 'importance of international cooperation' as the reason for preparing the joint advisory with German intelligence agencies following the U.S. agencies last month. An NIS official explained, "The attack methods of state-backed hacking groups continue to evolve at this very moment," and added, "International cooperation has become essential to effectively respond to such attacks."
Baek Jong-wook, the NIS Deputy Director, said, "We urge heightened vigilance regarding North Korea's new hacking activities and special caution in daily life," and stated, "The NIS will continue to issue joint security advisories with countries around the world to ensure that not only South Korea but the entire world can safely use cyberspace."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
