In recent days, a North Korean hacking group has allegedly been sending out phishing emails with a malicious code-laced press release from South Korea’s National Election Commission (NEC).
A former Daily NK employee received an email seven days ago with the subject line “Recruiting Vote Count Observers for the 20th Presidential Election.” The email’s sender was shown as the “National Election Commission Public Information Office.”
Attached to the email was a press release, which announced the recruitment of vote count observers for South Korea’s upcoming presidential election.
The former employee, who requested anonymity, told Daily NK he found it suspicious that the email was sent from a personal account rather than an official NEC account.
Daily NK requested an analysis of the email from a cybersecurity expert, who revealed that the email was sent by a North Korean hacking group.
“Based on the results of an analysis of the techniques and style of the attack, we believe that the email was sent by the North Korean hacking group Gumsong 121,” said Mun Chong Hyun, the head of the ESTsecurity Security Response Center. “They launched an advanced persistent threat [APT] attack, which was in the form of a press release sent out by the NEC.”
Gumsong 121 is a prominent hacking group managed by North Korea’s Reconnaissance General Bureau. Moon said that members of the group forged the press release published on the NEC website on Feb. 7 and are using it to mount cyberattacks.
“If you open the attached document, a fake pop-up appears,” he explained. “If you push the OK button, malicious OLE [Object Linking and Embedding] code hidden inside is activated.”
OLE allows users to create and even edit documents with items or objects created by various applications. Rather than exploiting the vulnerabilities of cybersecurity software, North Korean hackers are exploiting normal OLE functions to target users with malicious code. This means that, even if users have up-to-date security patches installed, users may still be vulnerable to malicious code. To stop the hacking attempt, users must press “cancel” and close the program if prompted to “run content” or “run macros.”
“Once the malicious code is executed, the next command links the user with an attack server [work3.b4a[.]app],” Moon said. “This system issues additional malicious code commands based on the intentions of the attacker.”
On target systems, North Korean hackers install backdoors which allow them to remotely control target systems or gather information. After this, they install additional malicious programs based on information gleaned from the target system or to mount a second cyberattack.
There is about 30 days before the South Korean presidential election and attacks by North Korean hackers appear to be intensifying.
Over the last three days, North Korean hacking groups have sent phishing emails to South Korean reporters working on unification, diplomacy, and political issues.
Given that this recent phishing attack used a press release from a government organization, North Korean hackers appear to be targeting reporters.
Generally speaking, email users should first verify senders before opening any email. Hackers have a very easy time changing the name of senders. One way to prevent yourself from becoming a victim of a phishing attempt is to confirm whether the email was actually sent by someone you know or a public institution.
Translated by Jason Mallet
Please direct any comments or questions about this article to dailynkenglish@uni-media.net.
