North Korean hackers use a unique tactic to spy on foreign experts

Seoul:

When Daniel DePetris, a US-based foreign affairs analyst, received an email in October from the director of think tank 38 North requesting an article, it seemed like business was business as usual.

This was not the case.

The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.

Instead of infecting her computer and stealing sensitive data, as hackers usually do, the sender seemed to be trying to get her thoughts on North Korean security issues by impersonating the director of 38 North, Jenny Town.

“I realized it wasn’t legit once I contacted the person with follow-up questions and discovered that in fact no request had been made and that person was also a target,” DePetris told Reuters, referring to Ville. “So I understood quite quickly that this was a large-scale campaign.”

The email is part of an unprecedented new campaign by a suspected North Korean hacking group, according to cybersecurity experts, five people targeted and emails reviewed by Reuters.

The hacking group, which researchers have dubbed Thallium or Kimsuky, among other names, has long used “spear-phishing” emails that trick targets into giving up passwords or clicking on attachments or files. links that load malware. Today, however, it also seems to simply ask researchers or other experts to give their opinion or write reports.

According to emails reviewed by Reuters, other issues raised included China’s reaction to another nuclear test; and whether a “quieter” approach to North Korean “aggression” might be warranted.

“Attackers are having great success with this very, very simple method,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first appeared in January. “The attackers completely changed the process.”

MSTIC said it identified “several” North Korean experts who provided information to a Thallium attacker account.

Experts and analysts targeted in the campaign influence international public opinion and foreign government policy toward North Korea, the cybersecurity researchers said.

A 2020 report from the US government’s cybersecurity agencies said Thallium has been operating since 2012 and “is most likely tasked by the North Korean regime with a global intelligence-gathering mission.”

Thallium has historically targeted government employees, think tanks, academics and human rights organizations, according to Microsoft.

“The attackers are getting the information straight from the horse’s mouth, if you will, and they don’t have to sit down and make interpretations because they’re getting it straight from the expert,” Elliot said.

NEW TACTICS

North Korean hackers are well known for their multimillion-dollar attacks, targeting Sony Pictures over a film deemed insulting to its leader, and stealing data from pharmaceutical and defense companies, foreign governments and to others.

The North Korean Embassy in London did not respond to a request for comment, but denied involvement in cybercrime.

In other attacks, Thallium and other hackers have spent weeks or months building trust with a target before sending malware, said Saher Naumaan, senior threat intelligence analyst at BAE Systems Applied. Intelligence.

But according to Microsoft, the group now also engages with experts in some cases without ever sending malicious files or links, even after victims respond.

This tactic can be faster than hacking into someone’s account and going through their emails, bypassing traditional technical security programs that scan and flag a message with malicious elements, and allow snoopers direct access to the thinking of experts, Elliot said.

“For us as advocates, it’s really, really hard to stop these emails,” he said, adding that in most cases it’s up to the recipient to figure it out.

Town said some messages purporting to be from her used an email address ending in “.live” rather than her official account, which ends in “.org”, but copied her full signature line.

In one instance, she said, she was involved in a surreal email exchange in which the alleged abuser, posing as her, included her in a response.

DePetris, a member of Defense Priorities and a columnist for several newspapers, said the emails he received were written as if a researcher was asking for a paper submission or feedback on a project.

“They were quite sophisticated, with think tank logos attached to the correspondence to give the impression that the investigation is legitimate,” he said.

About three weeks after receiving the fake email from 38 North, another hacker impersonated him, emailing others to review a draft, DePetris said.

The email, which DePetris shared with Reuters, offers $300 for the review of a manuscript on North Korea’s nuclear program and asks for recommendations for other possible reviewers. Elliot said the hackers never paid anyone for their research or answers, and never intended to.

INFORMATION COLLECTION

Spoofing is a common method for spies around the world, but as North Korea’s isolation has deepened under sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become particularly dependent on cyber campaigns, a security source in Seoul told Reuters, speaking on condition of anonymity. discuss intelligence matters.

In a March 2022 report, a panel of experts investigating North Korea’s evasion of UN sanctions listed Thallium’s efforts among activities that “constitute espionage intended to inform and assist “the country to avoid sanctions.

Town said in some cases the attackers commissioned papers and analysts provided full reports or manuscript reviews before realizing what had happened.

DePetris said the hackers questioned him about issues he was already working on, including Japan’s response to North Korea’s military activities.

Another email, claiming to be from a Kyodo News reporter in Japan, asked a 38 North staff member how they thought the war in Ukraine took into account North Korea’s thinking and asked questions. on American, Chinese and Russian policies.

“One can only assume that North Koreans are trying to get candid opinions from think tanks to better understand US policy on the North and where it may go,” DePetris said.

(Except for the title, this story has not been edited by NDTV staff and is published from a syndicated feed.)