Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

North Korean hackers targeting ‘experts’ on Korean peninsula

A long-running North Korean threat actor has been spotted actively targeting individuals on the peninsula, according to South Korean and German authorities.

user icon David Hollingworth
Thu, 23 Mar 2023
North Korean hackers targeting ‘experts’ on Korean peninsula
expand image

Germany’s Constitutional Protection Agency and South Korea’s National Intelligence Service released a joint advisory warning of the activity this week.

The group in question goes under a number of names, but in this instance is operating under the name Kimsuky. The group has been active since 2012 and is also known as Thallium or TA406. The threat actor largely goes after political targets, such as diplomats and think tanks, as well as non-government organisations.

In this case, however, the targets are experts on the Korean peninsula, who are being attacked via two methods — victims are tricked into either installing a malicious browser extension or a malicious app on the Google Play store for Android devices. In most instances, the threat actors pose as “portal administrators and acquaintances”.

============
============

The browser extension hijacks a victim’s Gmail account, sending any emails to a server operated by the hackers, while the browser extension poses as an “internal testing” environment, which accesses a user’s account details and syncs to their device. Both emails and cloud data can then be accessed by Kimsuky’s hackers.

“The National Intelligence Service and the Constitutional Protection Agency believe that the hacking attack described above is mainly targeting experts on the Korean Peninsula and North Korea, but since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people,” the advisory noted, according to The Record.

The advisory itself is written in Korean.

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the US Cyber Command Cyber National Mission Force released a joint advisory in 2020 about Kimsuky’s activity, citing their belief that the group works on behalf of the North Korean government.

“Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions,” the CISA advisory read.

The group is known to target “organisations in South Korea, Japan, and the United States”.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.