The Choi Soon Sil controversy has become a significant political scandal in South Korea. Evidence suggests that North Korean hacking units have begun to capitalize on the opportunity by distributing malicious software using word processor files featuring content referencing the scandal. Daily NK has examined an email attachment entitled, “The Uneasy Republic of Korea,” and determined that the file was an attempted cyber attack likely originating from North Korea. The email was sent from a falsified email address appearing to belong to the director of a South Korean NGO.
A representative of the NGO that received the file notified Daily NK, adding that they have never received an email from this particular address and that the email address itself was not legitimate. North Korean hackers have been known to impersonate public figures and institutions by making email accounts in their name using public providers such as Naver, Daum, and Nate.
A cyber security expert who agreed to analyze the content of the file and speak on condition of anonymity said, “The file was created at 11:13 a.m. this morning and contains the very latest in malicious code from North Korea. Under no condition should anyone open a file that looks like this.”
“It appears that the file creator used an email account that on first appearance seems to belong to the president of an NGO. This is a common method used by North Korean hackers,” the analyst continued.
According to the results of a subsequent investigation, this type of phishing scam would allow the hacker to access the victim’s computer and send commands remotely.
The last person to modify the file saved the malicious code under the filename “MalDaeGaRi.” This is a term intended as an insult, which literally translates to “horse head,” and is used to describe people with unusually long faces. A cyber security expert with military experience explained, “This name appears to be a reference to Jeong Yoo Ra, Choi Soon Sil’s daughter.” Jeong Yoo Ra was a competition dressage athlete who competed at the 2014 Asian Games, and she became involved in the scandal when Ewha Women’s University was alleged to have given her preferential treatment during the admissions process. North Korean hacking units usually choose names for files that are related to the content.”
“It does not appear that this attack was intended for the general population. One of the patterns that has emerged is a specific focus on NGOs and defectors. It is likely that this attack was launched via infrastructure in China,” the security analyst continued.
This latest attack appears to be a continuation of the aggressive posture that North Korea has assumed since it was documented using Twitter for cyber attacks beginning in August this year. Cyber security analysts have concluded that techniques used by North Korean hacking units are becoming more advanced. The attacks on South Korea can be typically associated with North Korea due to their similar techniques and characteristics.
When asked about the nature of the attacks, security analyst Yu Dong Yul, Director of the Korea Institute of Liberal Democracy, noted, “The North is using these cyber attacks to collect information. Their techniques are advancing. This latest attack shows that they are using current events to create targeted content.”
“North Korea is using the internet as a way to strengthen their asymmetrical warfare capabilities, and their strategies are becoming increasingly sophisticated. They operate over 160 websites hosted on foreign servers and have begun to use social networking platforms as well,” Director Yu continued.
“The North Korean regime has shown an acute awareness of the current scandal involving Choi Soon Sil and is exploiting it for psychological warfare,” Director Yu added. “There are also operatives posting comments on South Korean websites spreading malicious rumors in an attempt to increase the chaos and confusion surrounding the incident.”
According to previous reports by Daily NK into North Korean cyber attacks, the following characteristics have emerged: 1) A Trojan email is sent, usually containing no content, but accompanied by a Korean language word processor file attachment; 2) The size of the attached file is usually between 15-40 KB; 3) Some of the email addresses appear to belong to public figures and institutions using common email providers such as Naver, Daum, and Nate.
