North Korea has launched a cyberattack using an ID stolen from an actual South Korean police officer who investigates cybercrime.
In a press release Wednesday, South Korean cybersecurity firm ESTsecurity said the attack was launched by a hacker who posed as an investigating officer from the advanced security investigation team of a specific South Korean police department.
The company said the hacker used a PDF with an official ID card, including a photo and real name.
The PDF the hacker used included the official ID card’s QR code, photo, name, department, rank, birthday and contact number.
Essentially, the hacker tried to evade the target’s suspicion by presenting the ID card of an actual police officer who handles cybercrime.
Hackers used a police ID in a 2017 attack as well. In that attack on a South Korean cryptocurrency exchange, the attacker posed as an officer requesting cooperating in querying registered users. They used a PDF copy of the officer’s ID card and an infected Excel file titled “Bitcoin transaction details.xml.” A sweeping investigation by the authorities concluded the attack was launched by a North Korean hacking ring.
ESTsecurity Security Response Center (ESRC) said the server commands used in the latest attack were the same as the commands and patterns used in phishing attacks on the Office of the United Nations High Commissioner for Human Rights and National Unification Advisory Council reported in February and May, respectively.
This means we can assume the latest phishing attack was launched by North Korea, too, given that North Korean hacking rings were behind the previous attacks.
In fact, the ESRC’s analysis determined that the latest attack was the work of a hacking organization connected to North Korea’s Reconnaissance General Bureau.
An employee of ESRC said the North Korean cyber security risk is so high that hackers are “even stealing the IDs of serving South Korean police officers to search for and boldly approach targets.”
Calling for caution, he said, “Above all else, we always need to be suspicious and bolster our awareness and level of tension, like in the zero trust cyber security model predicated on trusting no one.”
The zero trust cyber security model calls for users totrust nobody, not even users or devices that have passed through security systems and accessed the system. Assuming that all users or devices pose security risks, the model grants permissions after thorough verifications.
Meanwhile, the officer whose ID was used in the attack actually sent documents to the suspected victims of cyber attacks last month.
An employee of Unification Media Group, an organization that sends broadcasts into North Korea, received an email last month from the officer in question warning the employee that he may have been hacked. Analysis confirmed that the file attached to the email was clean, and that the actual officer had sent the email to request cooperation.
The ID file was possibly leaked through another recipient of a police cooperation request who had already been hacked. The hacker appears to have acquired the ID card file and other materials from a computer he already controlled, using them in the latest attack.
Because of this, people who have exchanged emails with the officer in question need to take extra care because they are at high risk of being attacked. They must be on guard against security failures, carefully examining the addresses of senders and directly confirming with the other party whether they sent the relevant email.
Please direct any comments or questions about this article to dailynkenglish@uni-media.net.
