Hackers use Korea’s divided family reunion plans to mount ‘spear-phishing’ attack

HWP file assumed to be sent by a North Korean hacker. Image: ESTsecurity Corp.

As the two Koreas move forward with preparations to hold family reunions in August, there has been a spate of email phishing attacks on defector and North Korean human rights organizations thought to be the work of North Korean hackers.

Daily NK has learned that hackers have sent out “spear phishing” emails to representatives of defector and North Korean human rights organizations in a bid to obtain sensitive information. The emails were sent out with the subject title, “Ministry of Unification Divided Families Information System Administrator.”  

Spear phishing, which gets its name from the underwater fishing technique, typically involves a hacker sending out an email that attracts the attention of the target user and entices them to click on a virus-infected link. After the virus enters the target user’s computer, sensitive information is sent back to the hacker and other malicious processes can be initiated.

Computer security experts say that methods used in the recent spear phishing attacks are more refined than those used in the past.

In past attacks, target users were invited to click on an attached file in the Hangul Word format (.hwp); however, this recent spate of attacks has involved fake “security emails” where users are directed to click on a link to a .hwp file. This is a similar method used by real companies when they send email requests to customers for online payments.

Hackers have sent out emails to representatives of North Korean human rights organizations and tried to fool their targets by stating that the email is from the Ministry of Unification.

When the email from the hackers is opened, a pop-up designed to resemble a security messages appears. Note the misspelling of the word “security” in red. Image: Estsecurity Corp.

The emails stated that target users could check information regarding family reunions on July 3, when the two Koreas exchanged lists of divided family members. Sending the emails on that date was likely an attempt to get as many target users as possible to click the links. The two Koreas exchanged lists of divided family members (South Korea: 250; North Korea; 200) who were deemed eligible to participate in the upcoming reunions on July 3.

While the recent hacking incidents cannot be completely proven to be the work of North Korea, the code used is similar to other attacks linked to the country, together with the methodology. Moreover, the fact that defector and North Korean human rights organizations were targeted highlights the question of motive.

A computer security expert who requested anonymity told Daily NK on July 4 that the code used in this attack is similar to other attacks attributed to North Korea, “so it’s likely they’re behind it. But it cannot be completely proven and more investigation is needed.”

East Security’s Security Response Team Director Mun Jong-hyun said that the code used in the attack and the attached file format (.exe) are all familiar to South Korean computer security analysts.

“The attack methods used are similar to those used by hackers who are on government payrolls. There is Russian language embedded in the code used in the attacks, which appears to be an attempt to hide the origin of the attacks. However, they used an .hwp file and fluent Korean in the body of the email – including use of the word ‘bibon’ (shorthand for ‘password’),” he told Daily NK.

The advanced packaging tool (APT), referred to as Operation Mystery Egg, used in the recent hacking attacks has been broadly used to attack South Korean organizations working on North Korea issues.

“These recent attacks are APT attacks through email perpetrated by the Kumsong 121 Group, which is suspected of working for the regime,” said Director Mun. “APT attacks will continue until they have achieved their objectives.”

“Hackers collect information from the target users’ virus-infected computers and send additional files to the infected computer through command and control (C&C) servers. Through this method, hackers can gain complete control over the computer,” he added.

Computer security experts say that users must be extremely careful as the attacks are becoming more sophisticated and nuanced.

“When you receive an email you need to confirm the email address of the sender. Hackers use the email addresses of South Korean portal sites to conduct attacks,” another computer expert, who asked not to be named due to security concerns, added.

“Computer users should confirm whether the email they received is from an official email account from a government agency before opening it. Any emails that seem suspicious should be reported to computer security specialists.”