North hacked 90 security, media email accounts

A suspected group of North Korean hackers attempted to gain access to at least 90 email accounts of South Korean foreign affairs and security officials, journalists and analysts, successfully retrieving passwords for more than half of them, prosecutors said Monday.

The Supreme Prosecutors’ Office said that the presumed North Korean cyberattack group conducted the hack between January and June, targeting officials in the Foreign Affairs, Unification and Defense ministries as well as journalists accredited to these branches and analysts at Pyongyang-related research institutes.

It added that the hackers were able to retrieve passwords for 56 of some 90 accounts that they attempted to break into through a phishing method similar to the one used in Pyongyang’s previous cyber attacks.

This latest attack comes days after Pyongyang’s top spy agency was accused by police here of being behind the hack and data leak of millions of customers of the popular South Korean online shopping mall Interpark.

It also comes after concerns by the government that Pyongyang may be preparing for a large-scale cyber attack on the South at a time of heightened inter-Korean tension.

To hack the email accounts, prosecutors said the group set up 27 phishing sites that impersonated the portal sites of major government agencies, universities and institutes.

These phishing sites would then send an email notifying users that their password had been compromised. These emails included a link that, if accessed, prompted users to change their password, thus allowing hackers to acquire the user’s ID and password.

The hackers used the same method as the cyber attack on the South’s Korea Hydro and Nuclear Power in December 2014, which prosecutors here said was made by sending out phishing emails. Between Dec. 9 and 12, North Korean hackers were said to have sent out 5,986 phishing emails containing malicious codes to 3,571 employees of the nuclear power plant operator. Blueprints and other data were compromised.

The National Police Agency said on Thursday that Pyongyang’s top intelligence agency, the General Bureau of Reconnaissance, was behind the theft of personal data of more than 10 million Interpark customers including names, birthdays, phone numbers, home addresses and emails after a cyber attack in May.

Interpark claimed it was unaware its servers had been breached until the anonymous hacking group demanded a ransom in the form of bitcoin, a digital currency, on July 11.

Police said that the same kind of codes and Internet protocol addresses were used in the Interpark attack as those that have been used in previous cyber attacks by Pyongyang.

The General Bureau of Reconnaissance was also accused of the crippling hack of Sony Pictures in 2014 for its comedy movie on the assassination of North Korean leader Kim Jong-un in “The Interview,” although this has not been confirmed.

“The National Intelligence Service, Korea Internet and Security Agency and other related agencies are cooperating to close down the phishing sites and take measures to protect the compromised accounts,” said a prosecutor. “Various malicious codes are spreading frequently on the Internet through searches and downloads, so there needs to be continuous security measures.”

Prosecutors are in the process of checking if any secret information was leaked. Officials from related government branches have so far said that no classified documents were accessed.

While these phishing sites have been shut down, prosecutors say there could be more and advised users to change their passwords frequently as a precaution.

Prosecutors said the IP address of the hackers was traced to Shenyang in Liaoning Province, northeastern China, the source of the 2014 hack on KHNP.

Shenyang has often been named as a base for the notorious secret network of elite North Korean hackers known as Bureau 121, which operates under the Reconnaissance General Bureau.

The South’s intelligence agencies estimate North Korea to have some 6,800 hackers. North Korea has in the past been accused of hacking into Korea’s financial firms, media and government agencies.

Pyongyang was also behind the cyber attack on the JoongAng Ilbo and the Korea JoongAng Daily’s website and server in 2012, which the National Police Agency said was orchestrated by its Ministry of Posts and Telecommunications.

BY SARAH KIM [kim.sarah@joongang.co.kr]