North Korean Hackers Kimsuky Trick 1 in 4 with Spear-Phishing Scam

“Respected Policy Advisory Committee member, please read the security pledge and write your name and signature by hand before replying by email.”

Caution is advised as spear-phishing emails have been sent out by the North Korean hacking organization Kimsuky.

On the 3rd, cybersecurity firm Hauri revealed that the number of spear-phishing cases by the North Korean hacking organization Kimsuky is rapidly increasing. Spear-phishing refers to cyber attacks targeting specific individuals or groups.

According to Hauri, from January to October 2023, 24 accounts were impersonated, and 16 mail servers were used for spear-phishing. These emails were sent to over 400 major domestic and international institutions personnel.

These institutions include the Korea CFO Association, Georgetown University, the International Peace Association, the Ministry of Foreign Affairs of the Republic of Korea, the Ministry of Foreign Affairs of Japan, the Presidential Office, and the U.S.-North Korea Committee.

Professors, journalists, and high-ranking officials in politics, diplomacy, defense, and North Korea expertise were impersonated to send out covert and natural spear-phishing emails continuously.

Instead of directly attaching malicious code to the target, initial decoy emails were sent as New Year’s greetings, Christmas greetings, meeting requests, advisory requests, expert opinion requests, etc. A malicious code was sent when the recipient showed interest and responded to the email.

After checking the sending and receiving records of the hacked accounts, Hauri found that the average response rate was about 25%. The response rate is the percentage of recipients who received the spear-hacked email and replied to the sender without suspicion.

The malicious code was distributed in the form of document files (.doc, .docx), downloads using cloud services (Google, MS, etc.), Windows disk compressed files (.iso), malicious script files (.vbs), HTML files, and more.

A Hauri’s Security Response Center representative said, “The spear-phishing emails confirmed this time is completely different from the previous methods of distributing malicious code.” They added, “Because they meticulously, perfectly, and naturally respond according to the target’s information and the content of the reply, and then attempt to distribute malicious code, it’s no different from normal email communication, making it even more dangerous.”

They added that this year, it is expected that the APT (Advanced Persistent Threat) attack group will persist in sending spear-phishing emails in various forms, both within the country and internationally. As a result, they stressed the importance of exercising extra caution when using email.

By. Da Un Kim