A series of email spear phishing attacks have recently targeted North Korea analysts, associates of the defector community, and North Korean human rights organizations. A hacking attack launched on January 11 is being treated with extra caution, as it shares similarities with a widespread hacking attack last year targeting the email accounts and passwords of 56 officials based at the South Korean Ministry of National Defense, Ministry of Foreign Affairs, and the Ministry of Unification.
Daily NK has learned that hackers distributed an email entitled “Project data on public-private cooperation” on the morning of January 11. The attack was categorized as a form of ‘spear phishing’ targeting specific individuals related to the defector community and North Korea human rights organizations, aiming to take control of their email addresses and passwords.
Spear phishing is a sophisticated and focused hacking attack that targets specific individuals, unlike standard phishing which creates a fake Internet site and attempts to extract personal information from any visitor connecting to the site. The purpose of spear phishing is to seize specific and sensitive information. After finding out the target’s email address and password, the hackers typically send an email from a fake Internet site to the target’s address in order to extract specific information.
The hacking attack launched on January 11 followed this pattern. The perpetrator(s) sent an email to a victim, attaching a text file entitled “Public-private cooperation project 2017(final).hwp.” The hacker manipulated the email so that upon opening the file, it would activate a false log-in page for Naver (a phishing page designed to look like a common South Korean web portal) to induce the victim to enter their ID and password. According to a security agency, the fake log-in site first appeared in 2013 and stole account information from a number of Naver users.
After entering information, a message appears stating: “Sorry, but your session has expired. Please check your password again.”
The hacker inserted the sentence above onto a fake log-in page for Naver, to coerce the victims to type in their ID and password. The process launches automatically if the victim opens the attached file. For reference, Naver does not use the expression ‘Sorry’ when the log-in session expires.
However, unlike the hacking attacks launched on January 2 (regarding Kim Jong Un’s New Year’s Address), and January 5 (impersonating the Ministry of National Defense), the hacking attack identified on January 11 has yet to be confirmed as being launched from a North Korean hacking unit. In the previous two cases, almost identical malicious code frequently used by North Korean hackers was involved, but the code used in the ‘spear phishing’ attack has been more difficult to forensically analyze.
However, experts in the security industry assert that the hacking attack can be “reasonably assumed” to be committed by a North Korean hacking unit for a number of reasons. The attack has only targeted individuals associated with the defector community and North Korean human rights organizations. The attack has also involved a hwp-type text file which is frequently used by North Korean hackers. North Korea’s hacking attacks last year on government email accounts followed a similar pattern. At the time, the cyber criminal investigation division of the Supreme Prosecutors’ Office reported, “A group assumed to be a North Korean hacking unit has constructed a total of 27 phishing sites to steal information.”
“It is of course important to determine whether the hacker was North Korean, but it is also worth noting that hacking attacks are increasing and spreading to the private sector,” a computer security expert told Daily NK under condition of anonymity on January 12.
“The hackers are likely launching extra attacks on others through stolen email addresses. Now that the hacking attacks are occurring daily, cooperation between the state and private sector is urgently needed.”
Yoo Dong Ryul, President of the Korea Institute for Liberal Democracy, who is also a security expert commented, “These attacks can be preliminary groundwork for a large-scale cyber attack. The hackers are continuously creating new patterns of attacks in order to circumvent security measures.”
In order to prevent the hacking attacks, Yu said, “First of all, individuals have to be careful when using their personal information. The security organizations must make a case book of hacking attacks and distribute them both online and offline so as to prevent recurrences.”
The following are security recommendations by computer security experts to prevent spear phishing damage.
Never open an email attachment with an unknown origin. Avoid opening suspicious files, and if necessary, use the preview function to inspect files first. Some files with seemingly legitimate content may still have malicious code hidden in them.
Second, keep the security setting of your document creation program up to date. There are many text files with malicious code in circulation, posing as legitimate documents.
Third, use a reliable vaccine program and keep registry lists up to date. You can protect your computer more safely from hacking attacks if you install a comprehensive security solution along with a vaccine program, for example, ALYac Internet Security by ESTsoft Corp.
Fourth, proceed with caution when entering your email address or password on any website. Ensure that any online forms you interact with are indeed located at the correct website address.
