Cyberspies attack key South Korean institutions, North Korean hackers suspected

The targeted attack uses malware to steal sensitive information, according to Kasperky Lab researchers

South Korean organizations that conduct research on international affairs, national security and Korean unification are under siege from cyberspies whose attack may have its origins in North Korea.

The attack campaign, which has been dubbed "Kimsuky," involves the use of malware to steal sensitive information from these institutions and has been monitored for the past several months by researchers from antivirus vendor Kaspersky Lab.

The full list of victims remains unknown, but Kaspersky's technical analysis suggests that organizations targeted included: the Sejong Institute, a non-profit think tank that conducts research in the areas of national security, unification, regional issues and international political economy; the Korea Institute for Defense Analyses (KIDA), a research institution whose research focuses on military planning, security and strategy, human resource development, weapon systems, and more; the South Korean Ministry of Unification which works towards the reunification of Korea and promotes inter-Korean dialogue and the Hyundai Merchant Marine, a South Korean logistics company specialized in container shipping.

"Among the organizations we counted, 11 are based in South Korea and two entities reside in China," Dmitry Tarakanov, a malware researcher at Kaspersky Lab, said Wednesday in a blog post.

The malware used in the attack, which is now detected by Kaspersky products as Trojan.Win32.Kimsuky, communicates with attackers through a free Webmail service in Bulgaria called The malware connects to the webmail interface and authenticates with hardcoded credentials for specific accounts.

It then checks the inbox folder for messages that have subject lines indicating certain commands from attackers. Those emails can also contain encrypted attachments, which are encrypted malicious executable files that serve as updates or additional components for the malware.

It's not clear how attackers distribute the Kimsuky Trojan horse program to their targets, but spear-phishing is a likely possibility, Tarakanov said.

The malware has several modules used for different functions that include keylogging, collecting directory listings from the infected computers, searching for and stealing documents in the HWP format that are generated by the South Korean Hancom Office Suite software and allowing attackers to remotely control the infected computers.

The remote control module is actually a modified version of TeamViewer, a legitimate remote control application, Tarakanov said.

The malware reports the infection status and sends all of the stolen data back to the attackers using the same webmail-based technique. The data is encrypted and attached to emails which are sent from the accounts to hardcoded Hotmail accounts used by the attackers.

On system startup, the malware disables a firewall product developed by AhnLab, a South Korean security software vendor, if present and then turns off the Windows Security Center service in order to prevent the system from alerting users that no firewall is running.

A lot of South Korean organizations use AhnLab security products and because the targets are almost exclusively from South Korea, the attackers don't even bother trying to evade security products from other vendors, Tarakanov said.

Taking into account the profiles of the targeted organizations, one could easily suspect that the attackers might be from North Korea, the researcher said. "The targets almost perfectly fall into their sphere of interest."

One piece of evidence that supports this theory has to do with the geographic location of the Internet Protocol (IP) addresses used by the attackers.

"During our analysis, we observed ten IP addresses used by the Kimsuky operators," Tarakanov said. "All of them lie in ranges of the Jilin Province Network and Liaoning Province Network, in China."

"Interestingly, the ISPs providing Internet access in these provinces are also believed to maintain lines into North Korea," the researcher said, adding that no other IP addresses have been discovered that would put the attackers' activity in other IP ranges.

South Korea is frequently attributing cyberattacks against organizations and institutions in the country to North Korean hackers. However, with most cyberattacks in general, establishing the location of attackers with a high degree of certainty is not possible.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityAhnLabDesktop securityspywaremalwarekaspersky lab

More about APTHotmailHyundaiKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place