North Korean cyber spies deploy new tactic: Tricking experts into writing research for them

When Daniel DePetris, a US-based foreign affairs analyst, received an e-mail in October from the director of the 38 North think-tank commissioning an article, it seemed to be business as usual.

It wasn’t.

The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.

Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town.

“I realized it wasn’t legit once I contacted the person with follow up questions and found out there was, in fact, no request that was made, and that this person was also a target,” DePetris said, referring to Town. “So I figured out pretty quickly this was a widespread campaign.”

The e-mail is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five targeted individuals and e-mails reviewed.

The cybersecurity experts suspect the hackers are targeting people who are influential in foreign governments to better understand where Western policy is headed on North Korea.

The hacking group, which researchers dubbed Thallium or Kimsuky, among other names, has long used “spear-phishing” e-mails that trick targets into giving up passwords or clicking attachments or links that load malware. Now, however, it also appears to simply ask researchers or other experts to offer opinions or write reports.

According to e-mails reviewed, among the other issues raised were China’s reaction in the event of a new nuclear test; and whether a “quieter” approach to North Korean “aggression” might be warranted.

“The attackers are having a ton of success with this very, very simple method,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first emerged in January. “The attackers have completely changed the process.”

MSTIC said it identified “multiple” North Korea experts who have provided information to a Thallium attacker account.

A 2020 report by US government cybersecurity agencies said Thallium has been operating since 2012 and “is most likely tasked by the North Korean regime with a global intelligence gathering mission”.

Thallium has historically targeted government employees, think tanks, academics, and human rights organizations, according to Microsoft.

“The attackers are getting the information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they’re getting it directly from the expert,” Elliott said.

 

SOURCE: NEWS AGENCIES