About the Author
View more articles by Chad O'Carroll
Chad O'Carroll has written on North Korea since 2010 and writes between London and Seoul.
Individuals in the North Korea research and policy community have in recent weeks been targeted by several phishing campaigns designed to obtain passwords and other personal information.
NK News is aware of at least three email addresses which have been used to send correspondence with malicious links or attachments to people working in the North Korea field, including one belonging to this journalist.
Targets have included U.S. government officers, think tank staff, journalists and researchers, with the techniques mirroring efforts to target the DPRK-focused community as far back as 2010.
Typically using email addresses that impersonate people working on North Korea issues, the messages invite recipients to download attached malicious documents or click on phishing links.
Emails impersonating this journalist, the author of several books on the DPRK Glyn Ford, as well as Jeroyng Hong, a diplomat from the DPRK Mission in New York City, have all been used to send malicious emails since July.
NK News analysis of several of these messages showed users being taken through a redirect to a Google-style login page hosted on a malicious domain, where they are invited to enter their password.
In one recent case appearing to justify the need to enter passwords on third-party sites, an email footer explained that due to a “security policy of UN” the recipient would need to authorize themselves again to read the related attachment.
Sending domains of the phishing emails have included both protonmail.com and gmail.com, with the footer justification to re-enter passwords shown in messages sent from the two domains seen by NK News.
Likely as part of the same campaign, an email address named “[email protected]” sent emails in broken English to multiple recipients in Washington, DC and New York City in early July, including an attachment entitled “DPRK Human Rights.zip”.
The attachment contained a redirect link to another malicious website URL.
NK News tracked the “[email protected]” sender as using a Windows 7 computer, likely using a VPN, with a Japan-based IP location: 184.108.40.206.
Further, a Gmail-sent email from “Glyn Ford”, with subject line “Please refer it.” claimed to offer “the English translation of the meeting minutes between Biegun and Im!”
“I found it interesting and inspiring,” it read. “It was a form of an interview taken Biegun in which he asked the former minster of Unification of the ROK, Dong-Won Im for advice in promoting talks and negotiations with North Korea,” the message further said.
Like the note sent by the DPRK Mission in New York City, it contained a malicious link.
“This sort of thing happens from time to time, especially for those Westerners who are involved in track 2, NGO or other work that puts them in contact with North Koreans,” said one of the recipients of the emails, requesting anonymity.
“It may be coming from North Korean institutions, but there are certainly other candidates as well.”
The website NKEconwatch.com has since 2010 been detailing similar attacks on researchers in the North Korea community. Notably, at least one of those attacks originated in South Korea.
Like the messages now being received in 2019, emails featured by NK Econwatch have regularly tried to spoof figures working in the field.
“I have fended off no less than six attempts to break into my computer–including two attempts just today (three this week),” wrote Curtis Melvin in 2010.
“One email containing a virus was ostensibly from a North Korea expert and the second email was intended to look like it came from the Korea Economic Institute (it even referenced an actual upcoming event of theirs).”
To better protect themselves, those working in the North Korea community should ensure they use Two Factor authentification with their password, change passwords regularly, and be careful to ensure that received emails match the known addresses of senders.
Have you received emails similar to these? If so, please share the email and further information to [email protected]