Connect with us

Hi, what are you looking for?

News

NK spies deploy new tactic: Tricking foreign experts into writing research for them

KCNA VIA REUTERS

SEOUL — When Daniel DePetris, a US-based foreign affairs analyst, received an email in October from the director of the 38 North think-tank commissioning an article, it seemed to be business as usual.

It wasn’t.

The sender was actually a suspected North Korean (NK) spy seeking information, according to those involved and three cybersecurity researchers.

Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town.

“I realized it wasn’t legit once I contacted the person with follow up questions and found out there was, in fact, no request that was made, and that this person was also a target,” Mr. DePetris told Reuters, referring to Town. “So I figured out pretty quickly this was a widespread campaign.”

The email is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five targeted individuals and emails reviewed by Reuters.

The cybersecurity experts suspect the hackers are targeting people who are influential in foreign governments to better understand where Western policy is headed on North Korea.

The hacking group, which researchers dubbed Thallium or Kimsuky, among other names, has long used “spear-phishing” emails that trick targets into giving up passwords or clicking attachments or links that load malware. Now, however, it also appears to simply ask researchers or other experts to offer opinions or write reports.

According to emails reviewed by Reuters, among the other issues raised were China’s reaction in the event of a new nuclear test; and whether a “quieter” approach to North Korean “aggression” might be warranted.

“The attackers are having a ton of success with this very, very simple method,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first emerged in January. “The attackers have completely changed the process.”

MSTIC said it had identified “multiple” North Korea experts who have provided information to a Thallium attacker account.

A 2020 report by US government cybersecurity agencies said Thallium has been operating since 2012 and “is most likely tasked by the North Korean regime with a global intelligence gathering mission.”

Thallium has historically targeted government employees, think tanks, academics, and human rights organizations, according to Microsoft.

“The attackers are getting the information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they’re getting it directly from the expert,” Mr. Elliott said.

NEW TACTICSNorth Korean hackers are well-known for attacks netting millions of dollars, targeting Sony Pictures over a film seen as insulting to its leader, and stealing data from pharmaceutical and defence companies, foreign governments, and others.

North Korea’s embassy in London did not respond to a request for comment, but it has denied being involved in cybercrime.

In other attacks, Thallium and other hackers have spent weeks or months developing trust with a target before sending malicious software, said Saher Naumaan, principal threat intelligence analyst at BAE Systems Applied Intelligence.

But according to Microsoft, the group now also engages with experts in some cases without ever sending malicious files or links even after the victims respond.

This tactic can be quicker than hacking someone’s account and wading through their emails, bypasses traditional technical security programs that would scan and flag a message with malicious elements, and allows the spies direct access to the experts’ thinking, Mr. Elliott said.

“For us as defenders, it’s really, really hard to stop these emails,” he said, adding that in most cases it comes down to the recipient being able to figure it out.

Town said some messages purporting to be from her had used an email address that ended in “.live” rather than her official account, which ends in “.org”, but had copied her full signature line.

In one case, she said, she was involved in a surreal email exchange in which the suspected attacker, posing as her, included her in a reply.

Mr. DePetris, a fellow with Defense Priorities and a columnist for several newspapers, said the emails he has received were written as if a researcher were asking for a paper submission or comments on a draft.

“They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry is legitimate,” he said.

About three weeks after receiving the faked email from 38 North, a separate hacker impersonated him, emailing other people to look at a draft, Mr. DePetris said.

That email, which Mr. DePetris shared with Reuters, offers $300 for reviewing a manuscript about North Korea’s nuclear program and asks for recommendations for other possible reviewers. Mr. Elliot said the hackers never paid anyone for their research or responses, and would never intend to.

GATHERING INFORMATIONImpersonation is a common method for spies around the world, but as North Korea’s isolation has deepened under sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns, one security source in Seoul told Reuters, speaking on condition of anonymity to discuss intelligence matters.

In a March 2022 report, a panel of experts that investigates North Korea’s UN sanctions evasions listed Thallium’s efforts as among activities that “constitute espionage intended to inform and assist” the country’s sanctions avoidance.

Town said in some cases, the attackers have commissioned papers, and analysts had provided full reports or manuscript reviews before realizing what had happened.

Mr. DePetris said the hackers asked him about issues he was already working on, including Japan’s response to North Korea’s military activities.

Another email, purporting to be a reporter from Japan’s Kyodo News, asked a 38 North staffer how they thought the war in Ukraine factored in North Korea’s thinking, and posed questions about US, Chinese, and Russian policies.

“One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand US policy on the North and where it may be going,” Mr. DePetris said. — Reuters

Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

Latest

Editor’s Pick

<?xml encoding=”utf-8″ ??> Pressure on the Tory Party chairman increases as the head of HMRC says there are no penalties for ‘innocent errors’. Nadhim...

Editor’s Pick

<?xml encoding=”utf-8″ ??> With the increased threat of industrial strike action looming across the UK, we consider whether a force majeure clause can strike...

Editor’s Pick

<?xml encoding=”utf-8″ ??> TSB’s 5,700 staff and executives are to share a 10% bigger bonus pot this year, after rising interest rates pushed the...

Editor’s Pick

<?xml encoding=”utf-8″ ??> NatWest is to shut another 23 branches in England and Wales, adding to a raft of high street banking closures already...

Editor’s Pick

<?xml encoding=”utf-8″ ??> Shell has put more than 2,000 jobs in the UK at risk after launching a “strategic review” of its domestic energy...

Editor’s Pick

<?xml encoding=”utf-8″ ??> British taxpayers have become shareholders in a further 53 companies backed by a government rescue funding scheme. These firms include a...

You May Also Like

News

COVID-19 has had a significant impact on the mental health of Filipinos across different groups all over the archipelago. From frontline workers, parents balancing...

News

REUTERS By Luz Wendy T. Noble, Reporter The country’s foreign exchange buffers slightly increased as of end-October as the value of the central bank’s...

News

BW FILE PHOTO GROSS BORROWINGS by the National Government reached P2.6 trillion as of end-September as it continued to raise funds to respond to...

News

KARASOLAR.COM TENA, Ecuador — Ecuador’s rainforest Achuar people say their ancestors long dreamed of a “fire canoe” or “electric fish” that would let them...

Disclaimer: Respect Investment.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2022 Respect Investment. All Rights Reserved.