Two researchers at the security firm FireEye, Genwei Jiang and Josiah Kimble, wrote Thursday that there was strong evidence connecting North Korea to intrusions that relied on flaws in the Hangul Word Processor, a South Korean program that’s popular with the country’s businesses. Users who opened infected HWP files unknowingly granted monitoring programs access to their machines.
“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets,” the firm said, “and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors.”
The IP addresses of the servers that collected data from the monitoring programs had been linked to other suspected North Korea attacks, the researchers said.
Hancom, the maker of HWP, patched the flaw in its software on Monday.
The use of unpatched software vulnerabilities to gain access to a machine is known as a zero-day exploit. Attackers—from North Korea, according to the U.S. State Department—apparently used the same strategy to infiltrate the servers of Sony Pictures Entertainment and steal highly sensitive corporate documents.
H/T CSO | Illustration by Fernando Alfonso III