North Korean hackers have used stolen residential details of a former South Korean government official to spread malware and gain access to their victims’ computers, security researchers in Seoul told NK News.
“We are 100% sure the ‘Kimsuky’ group was behind this attack,” Director at ESTsecurity Mun Chong Hyun said, referring to a group of hackers that has previously been linked to North Korea and had carried out similar attacks in November and January last year.
The campaign used a file with the SCR extension disguised as a PDF to install a type of malware known as trojan, which downloads additional code and gives hackers access to a victim’s computer, according to the report released by ESTsecurity last week.
When opened, the file displays the Resident Registration Certificate of a former official at South Korea’s Unification Education Center, while installing a trojan in the background.
The name of the file, “Copy of resident registration,” appears to be aimed at sparking the interest of recipients in South Korea, who are familiar with this kind of document.
The report does not explain how the hackers may have gotten access to the former government official’s certificate, but researchers were confident that the attack was carried out by the “Kimsuky” group, Mun told NK News.
The company had analyzed the malicious code and found significant similarities with code used in previous attacks that had also been attributed to North Korea, the researchers wrote in their report, though the servers used by the trojan to remotely control infected computers had changed.
At the time of writing, most major anti-virus products had added the signature of the malicious file to their index and were able to detect the attack, data compiled by cybersecurity company VirusTotal showed.
Seon Wook Kim contributed research to this report
Edited by Oliver Hotham
North Korean hackers have used stolen residential details of a former South Korean government official to spread malware and gain access to their victims' computers, security researchers in Seoul told NK News.“We are 100% sure the ‘Kimsuky’ group was behind this attack," Director at ESTsecurity Mun Chong Hyun said, referring to a group of hackers that has previously been linked to North
Nils Weisensee is Director of News Operations at the Korea Risk Group and covers cyber security for NK News. Prior to that he worked as head of operations at the Choson Exchange NGO and as a reporter for DAPD and the Associated Press.