N. Korean hackers mount phishing attack on NKHR groups

Experts suggest that the latest alleged phishing attack was conducted by the N. Korean hacking group "Kimsuky"

On Dec. 18, a North Korean hacking group allegedly conducted a phishing attack on several of the non-governmental organizations that published an open letter to South Korean President Moon Jae-in urging him to acknowledge North Korea’s human rights violations. 

The Transitional Justice Working Group (TJWG) had announced that hackers had contacted the head of their organization masquerading as Kwon Eun-kyoung, director of the International Coalition to Stop Crimes against Humanity in North Korea (ICNK). Both TJWG and ICNK were signatories of the joint open letter addressed to President Moon on Dec. 16. The phishing attempt was made just two days after the letter was published. 


“The aim of this phishing attack seems to have been accessing the email addresses of individuals involved in North Korean human rights NGOs,” said Mun Chong Hyun, the head of the ESTsecurity Security Response Center (ESRC) to Daily NK on Friday. “When analyzed against past phishing emails, we can infer that this was the work of Kimsuky.”

Kimsuky is the organization behind the 2014 attack on Korea Hydro and Nuclear Power in 2014, and according to the results of a joint investigation by multiple agencies, Kimsuky is backed by the North Korean state.

“Because this attack used a phishing site rather than malware, it is difficult to ascertain what organizations were involved,” said Moon, but added, however, that “The IP address from which the phishing email was sent, however, corresponds precisely to part of the IP range of a VPN that Kimsuky has used in the past.” 

“Moreover, there are strong resemblances to email addresses that Kimsuky has used in the past,” added Moon. “However, more investigative work is required to know for certain.”

In past phishing attacks on individuals at North Korean human rights-related NGOs, hackers were found to have used North Korean expressions not commonly used in South Korea. 

“We can spot instances of North Korean terms in other emails sent by this hacking group, which is the one behind this phishing email. We can make the assumption that the attack originated from a group accustomed to North Korean expressions,” said Moon.

phishing attack
A screen capture of the “open letter” used by hackers on a fake website aimed at acquiring personal information of North Korean human rights organization workers. / Image: ESRC

In fact, in past emails that this hacking group sent to other individuals, the expression “We will send you the documents soon” stood out, because the authors used a provincial North Korean term for “soon,” rather than the standard South Korean expression. 

“The overseas servers used in the attack were not used before,” continued Moon. “We can see that the attackers took special care to prevent the leakage of any information that could be traced back to them.” 


The phishing email contained an attachment that, when clicked, directed the reader to a website masquerading as the website of a North Korean human rights organization based in the US. 

According to data analyzed by ESRC, the attachment redirected the receiver to a website disguised as the website of the Defense Forum Foundation, a US-based North Korean human rights organization. 

The fake website featured a login screen that asked for an email address and a password. The information used to log into the website was then immediately sent to the hackers. The website then redirected to a screen showing the open letter as part of the hackers’ efforts to make the website seem legitimate. 

ESRC’s Moon told Daily NK that North Korean human rights NGOs need to be vigilant to prevent personal information from being obtained by hackers.

*Translated by Violet Kim

Please direct any comments or questions about this article to dailynkenglish@uni-media.net.

Mun Dong Hui
Mun Dong Hui is one of Daily NK's full-time reporters and covers North Korean technology and human rights issues, including the country's political prison camp system. Mun has a M.A. in Sociology from Hanyang University and a B.A. in Mathematics from Jeonbuk National University. He can be reached at dhmun@uni-media.net