A series of hacks targeting South Korean think tanks, as well as the website for the country’s Ministry of Unification, has been traced to North Korea.
According to Kaspersky Labs, a Russian security firm, this is the first time a hack can be attributed to a North Korean agency.
The hacking campaign, called “Kimsuky,” is “limited and highly targeted,” Kaspersky said in a blog post. The hackers targeted 11 organizations based in South Korea and two entities in China. They included the Sejong Institute, the Korea Institute For Defense Analysis, Hyundai Merchant Marine, and the Supporters of Korean Unification.
The Kimsuky trojan enables keystroke logging, directory listing collection, remote control access, and HWP document theft. The attackers are reportedly using a modified version of the TeamViewer remote access application as a backdoor to hijack files from any machines they are able to infect.
In addition to the targets, which include governmental departments and other organizations devoted to the reunification of the two Koreas, the North Korean origin of the malware and hackers can be inferred, according to Kaspersky, from the fact that the compilation path string contains Korean words and that two email addresses used by bots (to send reports on status and transmit infected system information via attachments) are registered with names that indicate a North Korean origin. Also, the 10 source IP addresses of the hackers come from the Chinese provinces that lie along the North Korean border.
Although it is not certain, it is believed that the initial infections were accomplished through spearphishing attacks.