Personally identifiable information (PII) on nearly 1000 defectors from North Korea has been stolen in a cyber-raid, the South Korean government revealed late last week.
It’s believed that one of the 25 “Hana” support centers for defectors in the country was targeted by a classic phishing attack.
“Recognizing a possibility of one personal computer at the Hana Center in North Gyeongsang Province having been hacked, we carried out an on-site probe on December 19 in cooperation with the provincial government and the center and confirmed the computer was infected with a malicious code,” the Ministry of Unification said.
“In that computer, there was a file containing personal information of North Korean defectors. The file was confirmed to have been leaked.”
The phishing campaign involved the hijacking of an internal email account to make the phishing message appear more legitimate, according to reports.
Around 30,000 defectors currently live in the affluent south, but many still have family north of the border, which could make their personal information of interest to Pyongyang. Names, addresses and dates of birth were among the stolen details.
Those affected have been informed, and the ministry is said to be taking steps to air-gap computers storing sensitive data from 2019 to mitigate the risk of such attacks — although this is the first major breach of defectors’ personal data, according to Yonhap News.
An unnamed ministry official was reluctant to attribute the attack but all eyes will be on Pyongyang, given the hermit nation has become a prolific offensive state actor.
In October, FireEye revealed new research claiming that there are at least three main state-sponsored hacking groups operating today: Lazarus, APT38 and TEMP.Hermit.