The Cyber Security Bureau of the National Police Agency announced on January 25 that cyber attacks that occurred in November last year and early this year were conducted by North Korean hackers. The attacks took the form of a series of emails containing malicious code from addresses impersonating North Korea human rights and academic research organizations, and were sent to individuals belonging to the diplomatic, security, defense and unification fields.
Daily NK reported on November 13 last year and January 2 this year that North Korean hackers distributed emails with files containing malicious code entitled, “The Uneasy Republic of Korea,” and “Analysis of North Korea’s 2017 New Year’s address,” disguised as being sent by organizations related to North Korean affairs.
“The emails were sent from a North Korean IP (Internet Protocol) address via a US server. The attached text files contain programs to extract information from the PC and download additional malicious code,” the Korea National Police Agency said in a press release.
When a person downloads the attached file, the malicious code connects to the hacker’s server to download and install additional code on the PC. The secondary files extract documents on the PC or personal information such as email accounts. However, evidence of damage by the infection has yet to be confirmed.
According to the police, the hacking attack was initiated at an IP address assigned to Ryugyong-dong, Pyongyang. This IP address was also the origin of hacking attacks such as the March 20, 2013 incident and a string of attacks on critical South Korean infrastructure. But the malicious code sent this time is considerably more versatile and can tailor itself to different scenarios. Although the hackers concealed the original IP address by passing through an overseas dummy server, the police have confirmed through the bypass server that the attacks originated in Ryugyong-dong.
A police spokesperson said, “The hacking attack seems to have the same purpose as the attacks last year, which sent emails with malicious code, impersonating the blue house (the Korean presidential residence). Recently, North Korea has been continuously trying to extract information by hacking the computers of personnel working in the defense and diplomatic fields.”
The police warned the recipients of the email to change their passwords and permanently disabled fake email accounts through the portal website. The malware included in the attached files has been listed and is now identifiable by a vaccine program.
The police also announced the results from an investigation into North Korea’s hacking activities from January last year to the present day. According to the report, North Korea has created at least 58 email accounts impersonating governmental agencies, international organizations, and even the security team of a portal service company from May 2012 and sent emails to 785 people in 97 organizations including 12 governmental agencies. The police reported that they are involved in an international cooperative investigation on North Korea’s overseas transit servers.
“Avoid opening emails from unknown senders and downloading attached files and be cautious not to expose your ID and password. People must take cyber security measures such as regularly changing of your passwords and keep checking your login history,” the police spokesperson added.
“The police will use all possible security measures including through our international cooperative investigation to continuously detect and track North Korea’s cyber attacks. We will also try to coordinate with the related organizations including the National Intelligence Service, Ministry of National Defense, Ministry of Science, and the Korea Internet and Security Agency, in order to prevent further damage and share information.”