Cyber attacks targeting journalists who cover North Korea and non-governmental organizations dealing with North Korean human rights have become more brazen and sophisticated. In the past, hackers sent emails to random targets with attached files containing malicious code. A new “targeted strike” strategy has been observed, which uses the phone number of the person they want to target via a message on KakaoTalk, a popular messaging app used in South Korea.
The image above shows a hacking attempt on a journalist, launched through the KakaoTalk app on November 22nd. The attacker was impersonating the researcher Lee Tae Kyung from Yonsei University, and sent a link saying that it contained his collected papers. The journalist, who had no personal affiliation with the supposed sender, inquired as to how he had obtained her phone number. The hacker avoided answering the question.
The hacker then requested some images relevant to his research from the journalist, promising to provide financial compensation for them. The request seemed unusual for a few reasons. First, the journalist could not identify the relevant picture in question that the hacker requested. The thumbnail image used for the article was hardly worth the effort of making a request: it was a simple image taken from a Unification Ministry briefing. Second, the hacker used grammatically awkward language, suggesting that he might not be from South Korea.
The journalist then relayed the attached file that the hacker sent to a cyber security expert. An analysis was performed, and it was determined that the malicious code was the exact same code used in previous North Korean hacking attempts. The cyber security expert, speaking on condition of anonymity, said, “The logical inference to draw here is that this recent hacking attempt was sent from North Korea. Recently, we’ve seen North Korean hackers sending malicious code to targets on their cellphones.”
“If the victim of the cyber attack were to open the link on their smartphone, it’s likely the malicious code would have spread. If they opened the PC version, it might not have resulted in any sort of attack at all,” the expert continued.
A unique feature of the malicious code is that it was programmed to self-delete over time. The analyst was not able to find the malicious code in the file immediately after being sent the link, but he investigated the link history and was able to find it that way.
“It’s possible that this hacking attempt was aimed only at the first person to open the link. This method is usually employed to help disguise the origin of an attack,” the expert added.
There are two major ways in which this most recent attack differs from those in the past. Past attacks have tended to impersonate national research institutes, police stations, or public institutions, sending a malicious attachment in an email to the victim.
The recent flurry of attacks have targeted phone numbers instead of email addresses, reaching the victims through KakaoTalk. The emails previously sent by hackers were easier to identify as fraudulent, whereas messages sent through KakaoTalk can give the victim a mistaken impression that they are acquaintances.
Another aspect is worthy of attention. In the past, emails were sent anonymously to individuals associated with North Korean human rights organizations (etc.) and contained message content relevant to North Korea. Now, the hackers are directly reaching out to individual subjects and engaging in one-on-one conversation. This is designed to put the victim at ease, reducing their caution and piquing their curiosity.
The journalist became suspicious after being targeted by email attacks multiple times in the past. But the use of KakaoTalk admittedly caught them off-guard. The cyber analysis division of South Korea’s police force is currently investigating the use of KakaoTalk in such hacking attempts.
It appears that the identity chosen by the hacker, Lee Tae Kyung, also used an American phone number. Lee Tae Kyung’s profile picture used on KakaoTalk even had a small American flag on it. But it is difficult to believe that the attack would have been launched from America.
“The hacker did not install KakaoTalk himself, but instead gained access to a pre-existing account and used it for the cyberattack. This is also to disguise the identity and location of the attacker,” the cyber expert concluded.
