North Korean Hackers Impersonate Researchers to Steal Intel

Written by

A prolific North Korean state hacking group has gone back to basics in a new attempt to understand Western thinking about the hermit nation, according to Microsoft.

Instead of using spear-phishing emails and/or covert information-stealing malware, the hackers are using fairly simple impersonation tactics to get the information they want, the Microsoft Threat Intelligence Center (MSTIC) told Reuters.

They’re doing this by sending emails to researchers and foreign affairs analysts, spoofed to appear as if sent by journalists and peers in the industry. These missives will ask straight out for the experts’ thoughts on North Korean security issues or even offer them money to write reports.

One target, US-based analyst Daniel DePetris, told the newswire that he received emails from a purported think-tank researcher asking for a paper submission or comments on a draft.

One apparently offered him $300 to review a document about North Korea's nuclear program and asked for recommendations for other possible reviewers.

In another incident, a faked Kyodo News reporter reached out to a staffer at specialist analyst house 38 North asking how they thought the war in Ukraine impacted North Korea, as well as US, Chinese and Russian policies.

The 38 North director Jenny Town was also impersonated in an email sent to DePetris asking for information. He said the emails included authentic-looking logos and email signatures, so only when he followed up with the real Jenny Town did he realize it was a scam.

The new campaign has been running since January and is attributed to the North Korean Kimsuky (Thallium) group.

It’s both quicker and easier to elicit information from certain sources this way, rather than running spear-phishing campaigns, developing malware and then wading through compromised email inboxes for the right intelligence.

“The attackers are getting the information directly from the horse’s mouth, if you will, and they don't have to sit there and make interpretations because they’re getting it directly from the expert,” said MSTIC team member James Elliott.

“The attackers are having a ton of success with this very, very simple method. For us as defenders, it’s really, really hard to stop these emails.”

What’s hot on Infosecurity Magazine?