Kimsuky, North Korean Hacking Group, Infiltrates via QR Codes

The Federal Bureau of Investigation (FBI) has warned that the North Korean military intelligence-linked hacking group "Kimsuky" is conducting cyberattacks against the United States and foreign governments and research institutions using a new phishing method that exploits QR codes.

The Federal Bureau of Investigation (FBI) has warned that the North Korean-backed hacking group Kimsuky is conducting hacking attacks using malicious QR codes (Quishing) targeting major U.S. institutions. Google Gemini generated image

On January 8 (local time), the FBI issued a cyber security alert stating that the Kimsuky group was found to have carried out so-called "Quishing" attacks targeting non-governmental organizations (NGOs), think tanks, academia, and diplomatic and security experts in May and June of last year. Quishing is a hacking technique that combines QR codes and phishing, in which a malicious URL is embedded in a QR code to attempt to steal information.

According to the FBI, Kimsuky sent emails impersonating foreign consultants, embassy staff, and think tank officials, including malicious QR codes under the pretext of survey participation, secure drive access, or conference invitations. When a victim scans the QR code with a smartphone, they are redirected through a server controlled by the attacker to a fake login page, during which account information and authentication tokens are stolen.

In actual cases, a think tank director received an email requesting opinions on the situation on the Korean Peninsula, prompting them to scan a QR code, while a researcher on North Korean human rights received a QR code disguised as secure drive access.

There was also a reported case in which a strategic consulting firm received an invitation to a non-existent international conference, leading to a fake Google login page via a QR code.

The FBI pointed out that such attacks are highly likely to bypass existing email security systems. Even if an email is opened on a secured PC, the process of scanning a QR code often involves using an unmanaged mobile device, which may not be subject to security controls. In such cases, attackers can use phishing pages optimized for mobile environments to bypass multi-factor authentication (MFA) and stealthily steal cloud accounts.

Korean cybersecurity company ENKI WhiteHat also recently reported detecting attacks in which the Kimsuky group used QR codes and mobile notification pop-ups to induce the installation of information-stealing malware. Researchers also confirmed evidence of malicious applications being distributed targeting Android smartphones.

Security experts assess that these attacks show Kimsuky's cyber operations are evolving beyond simple malware distribution, cleverly exploiting user behavior and mobile security blind spots.

In particular, they note that institutions with high-value information, such as those in policy, diplomacy, and security, are primary targets, indicating a clear nature of state-level cyber espionage operations.

As countermeasures, the FBI recommends: ▲ educating employees about the risks of QR code phishing ▲ prohibiting the scanning of QR codes from unknown sources ▲ implementing mobile device management (MDM) ▲ adopting stronger password policies and multi-factor authentication ▲ strengthening monitoring of activities following QR code scans. The FBI also urges that any related attacks be reported immediately to the FBI or the Internet Crime Complaint Center (IC3).

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.