Share this article on:
North Korean spies have adopted new espionage tactics, emailing foreign experts and commissioning them to write research articles under the guise that they are someone else.
The new strategy is thought to be part of a campaign by a North Korean hacking group called Thallium, who to date, has targeted five individuals, according to Reuters.
Where Thallium is known for spearphishing for data such as emails and passwords from government officials in the past, it is now asking for advice on North Korean political issues directly.
Uncovered emails have revealed spies asking questions regarding the effect of the Ukraine invasion on North Korea, US, Chinese and Russian policies, and how China would react to a new North Korean nuclear test.
The new espionage tactic was first unveiled when US analyst Daniel DePetris received an email from who he thought was Jenny Town, director of 38 North, a page that analyses North Korean news, events and politics.
The email attempted to commission an article from DePetris that covered North Korean security issues. He only realised that it was a scam when he reached out to Town with follow up questions, and “found out there was, in fact, no request that was made, and that this person was also a target”, he told Reuters.
“So I figured out pretty quickly this was a widespread campaign.”
One spy even offered DePetris US$300 to review a document regarding North Korea’s nuclear program.
However, James Elliot of the Microsoft Threat Intelligence Center says that in instances where money has been offered, it has never been paid.
“The attackers are having a ton of success with this very, very simple method.
“[They] are getting the information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they’re getting it directly from the expert.”
Impersonation is nothing new for spies, but due to the way that North Korea has become isolated due to sanctions and the pandemic, Western intelligence believes that the nation has become dependent on cyber.
Thallium has been operating since 2012 and has a history of data collection through the use of malware and malicious phishing, however, the new technique simplifies the collection of data.
Rather than having to hack someone’s account or gain access to their email through social engineering, which has the risk of being flagged and dealt with by cyber experts and can take weeks or months, contacting experts directly cuts out the cyber defender and leaves the security to the email recipient and their ability to identify a fake email.
According to DePetris, this is no easy task, as the spies go to great lengths to make their emails look legitimate.
“They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry is legitimate,” he said.
Town said that emails pretending to be her had small telltale signs, with the email address ending in .live rather than .org like her actual email. However, she said that the pretend emails went as far as copying her signature.