North Korean hackers have succeeded in attacking a South Korean government server via an e-mail containing malicious code. The hackers gained control of infrastructure belonging to Korean Government Legal Services, an agency in charge of the government’s legal affairs, and have reportedly used it as a ‘command and control server’ to launch further hacking attacks.
Daily NK has provided an analysis of the malicious file attached to the e-mail entitled “Analysis on North Korea’s 2017 New Year’s Address.” The attackers appear to have succeeded in exploiting the interest in Kim Jong Un’s 2017 New Year’s Address.
The e-mail was sent in the name of the “North Korea Research Academy of the Korea Institute for National Unification” and contained malicious code allowing the hackers to access confidential documents and control the server.
A spokesperson for the Korea Institute for National Unification (KINU) informed Daily NK, “KINU’s Office of North Korea Research indeed sent an analysis of Kim Jong Un’s New Year’s Address on January 1 in the name of the ‘North Korea Research Division of the Korea Institute for National Unification.’ However, we did not send the e-mail today (January 2) and there is no entity called the ‘North Korea Research Academy’ within KINU.”
A computer security expert who spoke on condition of anonymity stated, “The e-mail contains the latest malicious North Korean code, evidently created this morning (January 2). The hackers have used the opportunity of Kim Jong Un’s New Year’s Address to attract interest.”
“The attack is very similar to the North Korean hacking attack last year that targeted defectors in South Korea. The malicious code is 99% identical to the one previously used by North Korean hackers,” he added.
According to Daily NK’s analysis, double-clicking on a segment of the text string “Comparison on the main assignments of 2016 and 2017” in the attached file results in infection of the host computer by the malicious code. The document’s title is the exact text of the New Year’s Analysis sent out by the Ministry of Unification, but with malicious text embedded in a hyperlink offering detailed comparisons of the 2016 and 2017 New Year’s addresses.
Clicking the ‘Comparison on the main assignments of 2016 and 2017 in the file
results in infection of the host computer by malicious code. Image: Daily NK
Following the infection of one computer by the malicious code, known as the zombie, the event was reported back to the hackers via a server for the Korean Government Legal Services, which was also infected. After being alerted to the infection, the hackers sent extra files designed to carry out further actions in each of the infected computers.
One cyber security expert affiliated with the military said on condition of anonymity, “The fact that the exact Ministry of Unification report on Kim Jong Un’s New Year’s Address was used by the hackers shows that they already had control of a computer holding the original file. That someone could be a reporter for the Ministry of Unification, or a person related to the Ministry.”
“The North Korean authorities must be very upset after the defection of Thae Yong Ho, North Korea’s ex-deputy ambassador in London. It is likely that they sought information on Mr. Thae by hacking organizations that are in contact with him,” the expert surmised.
Regarding the seizure of the server belonging to Korean Government Legal Services by the hackers, the security expert commented that further investigation is required, but there is a possibility that important files in the server have already been extracted.
The method of attack shows some differences to the previous incident last year. The size of the e-mail containing the malicious code sent last year was between 15-40KB, but this time, the size of the text file was 282KB, signaling a tactical shift.