Academics involved in North Korea studies are hacked

A cyber security company warned on Thursday that hackers connected to North Korea were attempting to break into South Korean computers using an e-mail message disguised as a news update regarding President Roh Tae-woo's death.

The company, called East Security, explained that hackers sent e-mails bearing the sender ID “Naver News” to academics and experts working in North Korea-related fields.

The actual origin of the e-mails was found to be the Bulgarian e-mail service “mail.bg”. The service has been used several times by cyber-criminal organizations linked to North Korea.

East Security said the attacks seemed to be from a hacking group called “Thallium,” which is linked to the North’s Reconnaissance General Bureau, the state intelligence agency that manages clandestine operations against the South.

In the last two decades, Pyongyang has shifted from using ground operatives to state-sponsored and employed hackers to conduct intelligence operations targeting Seoul.

The e-mail purported to be a news article saying that SK Chairman Choi Tae-won, the late former president’s son-in-law, would visit Roh’s funerary altar at Seoul National University Hospital to pay his respects and afterward go on a business trip to the United States.

By masquerading as a bona fide news update, the message lowered the chances that the recipients might catch on to the fact it was a hacking attempt.

Clicking a button redirected the user to a fake news website of ‘nnews.naver-con.cloudns[.]cl’ that shows a fake front page.

Phrases and graphic logos employed in the ruse article were lifted without authorization from actual news articles posted on the Korean portal site Naver.

However, if a recipient of the message pressed the “News Shortcut” button included in the text, it surreptitiously connects the user to an overseas server called livelogin365.in[.]net.

Once connected to that overseas server, there was a high risk that some private data, such as the user’s IP address and web browser, may be exposed.

There was an additional possibility that malicious files could be installed on the user’s computer, although it was not immediately clear if this actually occurred.

Thallium has been known to insert malicious macro codes into Word, Excel or PDF files sent to target computers. Once downloaded, such files exposed those computers to hacking attacks.

It was not clear if hackers used the fake news article to actually hack their targets, or merely check if the e-mail recipients had clicked the button inside the e-mail, or were on guard against hacking attempts.

Moon Jong-hyeon, chief of East Security, warned that analysts and academics working in North Korea-related fields of research should “always be wary of messages sent by people with whom they have had no previous contact.”

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]