North Korea implicated in malware attacks on a wide range of bodies in South Korea
North Korea most likely carried out freshly uncovered malware attacks on a range of South Korean bodies, a security company has claimed.
Kaspersky has been monitoring the attackers’ activity, uncovering strings containing Korean hieroglyphs, translations of which read as “Remote Shell”, “attack” and “completion”. It found a host of South Korean bodies were being targeted, including think tank the Sejong Institute, the Ministry of Unification governmental department, and the Korea Institute For Defense Analyses.
North Korea cyber strikes
“Among other organisations we counted, 11 are based in South Korea and two entities reside in China,” said Kaspersky Lab Expert, Dmitry Tarakanov, in a blog post.
“Clues found by us make it possible to surmise North Korean origin of the attackers.
“There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function.”
The malware was often delivered by spear phishing emails, the initial dropper being a Dynamic Link Library allowing for subsequent malware uploading. Those additional files carry out all the espionage functions.
Spy components used by the attackers include keylogging, directory listing collecting and remote control access. It also grabs HWP files, which are like Word documents, but are part of the South Korean Hancom Office bundle.
The malware uses various techniques to hide suspicious activity, such as using different names for DLL services across versions. It also disables the system firewall and any such technology run by South Korean vendor AhnLab, whilst turning off the Windows Security Center, which would normally alert a user when firewalls are killed.
“We do know that many South Korean organizations install AhnLab security products. Accordingly, these attackers don’t even bother evading foreign vendors’ products, because their targets are solely South Korean,” Tarakanov added.
The attackers are using Bulgarian free email server to communicate with the malware. Kaspersky uncovered two email addresses – firstname.lastname@example.org and email@example.com – that were linked to the campaign and were registered with “kim” names “kimsukyang” and “Kim asdfa”.
Tarakanov said this could be evidence of North Korean involvement, as could the 10 IP addresses identified as being part of the campaign, which were all located in the Jilin and Liaoning areas of China that lie close to North Korea.
“The ISPs providing internet access in these provinces are also believed to maintain lines into North Korea,” he added.
North Korea and South Korea have claimed they are facing cyber attacks from one another. The North was alleged to have carried out malware attacks that wiped systems at banks and TV broadcasters, as well as denial of service hits on government websites.
How much do you know about information security? Try our quiz and find out!