“North Korean hacking units have intensified their attacks on defectors and human rights groups in South Korea since August 2016. The sustained attacks typically continue until the target’s computer is under the full control of the hackers, with documents, videos and pictures seized in the process. While the South Korean government and private security firms are coming to the defense of these organizations to stave off further damage, defectors have not been afforded the same level of protection.”
“Furthermore, many victims are unaware that their computers have been infected. The most critical issue is that the defector community must be alerted, and any information that can be used to ascertain the location or identity of relatives still in North Korea should be deleted. I strongly recommend to the defector community that files sent from unknown sources must not be opened.”
The above was conveyed by a cyber security expert at the head of an investigation into the ongoing attacks in consultation with foreign and domestic cyber security experts. Daily NK has confirmed that the extent of the damage is severe. To date, more than 50 defectors residing in South Korea have had their personal computers attacked by North Korean hackers, generating concern for the safety of the defector community and their relatives back in North Korea.
The hackers have employed complex techniques to retrieve personal information, including eavesdropping through the PC version of the popular chat application KakaoTalk. It has also been determined that hackers have succeeded in installing malicious code via chatrooms frequented by defectors. Evidence suggests that sensitive conversations are being monitored and recorded in real time.
Furthermore, it is also known that personal data has been stolen from computers at defector resettlement centers and university campuses. It is believed that such institutions are attractive targets because defectors are likely to store relevant information in machines there.
“Although I’ve been closely observing the patterns and trends of North Korean hackers for quite some time, I’ve never seen an attack of this magnitude on the defector community before. The most frightening aspect of this latest attack is that it remains uncertain how the North Korean regime plans to use the private information that they have stolen,” said the cyber security expert, who agreed to speak with Daily NK on condition of anonymity.
“We are really not quite sure, but the timing of the attacks could signify that it’s a retaliatory response. The South Korean government recently decided to grant asylum to Thae Yong Ho – a former North Korean diplomat stationed in England who defected with his family over the summer. Since then, the number and severity of cyber attacks has escalated. The head of one of the country’s most active defector assistance groups has also been subjected to a cyber attack.”
A detailed description of the attacks has been meticulously constructed over the course of the investigation. First, the IP address that appears to have coordinated the attacks is confirmed to be based in Pyongyang, North Korea’s capital. The expert involved in the investigation reported, “We were able to decipher the encryption protecting the command code and confirmed its location by pinging it with a test signal.”
The investigation has also revealed that attacks are now being carried out via Twitter. Until the most recent spate of attacks, North Korean hackers have primarily focused on users of particular sites. The shift to Twitter thus indicates a change in tactics.
North Korean hackers are known to use a preferred protocol. First, emails are sent with infected document files as attachments, which infect the target computer if they are opened. The malicious code then sends a notification via the hacker’s Twitter account, which allows the hacker to open the user’s files and send commands to the computer remotely. Experts have identified at least nine different Twitter accounts using this method. At least one of these accounts was identified as being hosted on a hacked defector’s computer in South Korea.
The document files containing malicious code typically have no usable content and range in size between 15-40 KB. They are sent using email accounts hosted by popular South Korean portals including Naver, Daum, and Nate.
These Korean language document files contain malicious code. All have been identified
within the last month alone. Image: Daily NK.
“Security firms are working to further investigate these attacks, but the truth is that the number of victims is on the rise. We urge people to use the utmost caution when receiving files or messages that are suspicious or come from unknown senders,” the expert concluded.
Defectors who have received suspicious emails with attached files can contact Daily NK (firstname.lastname@example.org) to determine whether or not the files contain malware from North Korean sources.