North Korean hackers exploited public interest in October’s tragic Itaewon crowd surge to target South Koreans with malware, Google cybersecurity researchers said Wednesday.
The North Korean hackers distributed a corrupted Microsoft Word document that appeared to be an official press release from South Korea’s Ministry of Interior and Safety, according to a blog post by Google’s Threat Analysis Group, which focuses on government-backed cyber-attacks.
Once opened, the document would download another file that would attempt to deploy malware onto the user’s device.
The document exploited a weakness in the Internet Explorer web browser, an attack known as a zero-day vulnerability, the Google blog post said. In a zero-day attack, hackers exploit such unidentified flaws to gain access to a computer system.
“We attribute this activity to a group of North Korean government-backed actors known as APT37,” Google added, saying the group has previously carried out similar attacks.
At least 158 people died in the crowd surge, which occurred when Halloween partygoers became stuck in a narrow alley in Seoul’s Itaewon neighborhood on October 29.
North Korea’s government never offered condolences in the incident. Instead, North Korea fired an unprecedented barrage of missiles, including some that landed near South Korea’s coast, during the South’s period of national mourning.
Google did not specify how the North Korean hackers distributed the corrupted document, who received it or how many devices may have been affected.
Google said it became aware of the North Korean malware in late October after multiple users from South Korea uploaded the document to the company’s VirusTotal tool, which analyzes suspicious files.
Within hours of discovering the hacking attempt, Google reported it to Microsoft, which sent out security updates about a week later to protect users from the attack, Google said.
“This is not the first time APT37 has used Internet Explorer 0-day exploits to target users,” Google said. “The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists and human rights activists.”
North Korea, which is subject to international sanctions because of its illicit nuclear weapons program, has for years carried out a sophisticated campaign of government-backed cybercrime, which has netted Pyongyang hundreds of millions of dollars.
The hacking attempts target both overseas organizations and those in South Korea.
On Thursday, several South Korean government agencies issued a joint statement warning tech companies to exercise greater caution to prevent unknowingly hiring North Korean IT workers.
The statement urged South Korean companies to strengthen background checks for such employees, noting that North Korea uses them to acquire foreign currency that helps fund its weapons program.