Security Companies in South Korea Discover North Korean Cyberattack

Private security companies in South Korea Friday detected evidence that North Korea attempted to hack into the personal computers of select targets, a spear-phishing effort  using documents appearing to be related to former North Korean citizens running for South Korea’s April 15 legislative election, RFA has learned.

EST Security and AhnLab, which are prominent private security companies based in the Seoul metropolitan area, found Friday that Kimsuky, a known North Korean hacking organization, tried to break into the computers. They used documents, which were labeled as “Re: 21^st Legislative Election” and “Re: Diplomatic Documents (Director Jai-chun Lee).”

It was not immediately clear who Director Jai-chun Lee is, or why the second document was specifically labeled with Lee’s name.

The first file contains information on former citizens of North Korea running in next week’s election. Among the candidates is Thae Yong Ho, who defected while he was Pyongyang’s deputy ambassador to the United Kingdom in 2016. He is running as a candidate for the conservative-leaning United Future Party, hoping to represent Seoul’s Gangnam-A district.

The malicious document includes Thae’s date of birth, academic background, and history.

The document also includes information about candidates Han Mi-ok, Kim Joo-il, Lee Ae-ran, and Ji Seong-ho, who are all running as candidates of minor political parties as part of a wave of North Korean-born aspiring politicians in the South.

The companies were not able to determine to whom the files were sent.

The second file mentions the possibility of Thae, Ji and Lee winning their respective elections.

Moon Jong-hyun, the director of EST Security told RFA Friday that due to the nature of the attack, it was likely that Kimsuky had a specific target.

“Most attacks using document files are a form of spear-phishing, meaning they are targeted at a specific individual or company,” he said.

“As the sensitive information of the defector candidates are contained in these documents, we can be reasonably certain the person involved was a target of the North’s attack,” said Moon.

AhnLab also posted their analysis of the evidence online, saying that the hacking organization attempted to attack a specific target during the election period.

“The malicious documents likely were targeted to [hack] certain systems, because they are designed to be deftly identified only in certain circumstances. This was confirmed as an attack carried out by Kimusky,” said AhnLab’s Security Emergency Response Center (ASEC) in the online statement.

According to EST Security, these malicious documents files are intended to infect the target’s computer, collecting information and install malware to carry out further attacks.

“Kimsuky group continues to attack using documents,” said the ASEC statement.

“We will continue to analyze and share information about further attacks.”

This is not the first time North Korea has attempted to hack targets in other countries. In April 2013, RFA reported that the North had hacked into the banking networks of what it called “hostile countries,” attempting to steal money from specific accounts.

RFA also reported in Sep. 2018 that the U.S. sanctioned and lodged criminal charges in absentia against Park Jin Hyok, the North Korean hacker believed to be behind the 2017 global WannaCry ransomware cyberattack, the theft of $81 million from Bangladesh’s central bank, and the 2014 cyber assault on Sony Corp, attacks made on behalf of the North Korean government or the Korean Workers’ Party.

Reported by Yong Jae Mok for RFA’s Korean Service. Translated by Leejin Jun. Written in English by Eugene Whong.