Suspected North Korean hackers have launched a phishing operation targeting North Korean human rights organizations and activists. Emails have been fabricated to appear as if they have come from NGO activists and government organizations.
Lee Kwang Baek, head of Unification Media Group (UMG), received two emails that appeared to be from a North Korean hacker unit and uploaded images of the emails on his Facebook page on August 28.
The alleged sender of the emails that Lee released to the public was “Cho Ju Yon, the deputy finance manager of the North Korea Research Institute.” Daily NK inquired about the email with the North Korea Research Institute, who responded that while Cho was a real person, he did not use that email address.
North Korean hackers may have stolen Cho’s private information to make the email appear as if it was sent by Cho.
The other email received by Lee was from “firstname.lastname@example.org,” which appeared to be from the South Korean Cyber Police. The email address, however, uses “.qo” instead of the standard suffix “.go,” which is commonly used by government organisations. Moreover, while the South Korean police have a Cyber Security Division, there is no such thing as the “Cyber Security Police Headquarters.” South Korean police typically use email addresses that end in @police.go.kr.
An Internet security expert who analyzed the emails said that they were likely sent by a North Korean hacker.
Moon Jong Hyun, who is the head of ESRC (Security Response Center), a South Korean Internet security firm, told Daily NK that “the email has malicious code” and that “the IP address of the email sender was in Atlanta, USA, but the emails nonetheless are likely part of a North Korean attack because the country’s hackers used similar IPs and frequencies in hacking attempts during the political scandal involving Choi Soon Sil in 2016.”
North Korea sent a number of phishing emails using keywords like “Choi Soon Sil,” “political scandal,” and “presidential resignation” when the political scandal surrounding Choi Soon Sil erupted in 2016.
“The id ‘chojyinks’ of the email sent by the hacker is registered with South Korean email service Hanmail, and after confirming the registration information, it was found to be connected to a specific email address (ko******@zo******.com),” said Moon. “We couldn’t confirm which site zo******.com refers to, but zoho.com is one of the types of email services that North Korean hackers have used before.”
“After analyzing the email’s code, we found that the word ‘Customer Center’ was spelled in the North Korean dialect […] The second email is also suspected of being a case of North Korean phishing, so there’s a need to find out whether an order [by the DPRK government] has been handed down [to make hacking attempts].”
Although inter-Korean relations continue to improve with the third inter-Korean summit is set to take place in September, North Korea still appears to be conducting cyber warfare on its southern neighbor.
The Kumsong 121 Group, a known North Korean hacker organization, recently placed malicious code in a PC anti-virus program on August 14, and last month was accused of conducting a phishing attack on defector and North Korean human rights workers in connection with the separated family reunions.