‘Monthly North Korean Trends’ document turns out to be’phishing’… North Korean hackers impersonate the Ministry of Unification

Email impersonation screen for’Monthly North Korean Trends’ by Ministry of Unification. The sender’s address was disguised as the Ministry of Unification. /Photo = Provided by East Security

It was found that the North Korean hacking organization Thallium attempted a phishing attack by impersonating the Ministry of Unification.

East Security said on the 24th, “An e-mail hacking attack, which is believed to be the conduct of a North Korean-linked cyber attack organization, was discovered.” “This APT (intelligent and sustained threat) attack is the conduct of a North Korean-linked cyber attack organization known as’Thallium’. It is estimated to be.”

APT attacks are attacks that attempt to steal important data such as personal information by attempting continuous hacking over a long period of time. Thallium is one of the most active cyber espionage groups among APT attack groups in Korea and the United States, and continues to threaten people mainly in the fields of politics, diplomacy, security, reunification and North Korea.

East Security said, “It is characterized by elaborate and subtle manipulation of the source to look like an e-mail from the Ministry of Unification. It is analyzed that the attacker has built a separate e-mail server to manipulate the e-mail address.”

It is one of attackers’ strategies to avoid the alertness of email recipients by manipulating the sender.

The source address of malicious emails used in the actual attack is’Ministry of Unification <[email protected]With >’, the recipient is very likely to mistake it for a normal email and open it.

The actual PDF document screen shown after the email password has been stolen. The actual document of the Korea Institute for National Unification was used. / Photo = Provided by East Security

East Security said, “If you look at the contents of the e-mail, the image of the first page of the document, expressed as if issued by the Ministry of Unification, is inserted in the text. He explained.

At this time, East Security said, “If you click the link at this time, instead of viewing the document, a screen asking you to enter the password of the email recipient appears.” “If you enter the password, the information will be leaked to the attacker, revealing the contents of the email, There is a possibility that it could become a perpetrator, such as sending a follow-up attack email to nearby acquaintances by unauthorized theft.”

Here, there was also the detail showing the document officially distributed by the Korea Institute for National Unification to prevent the attacker from recognizing the hacking damage as much as possible immediately after the password was stolen. If the e-mail recipient is not aware of the hacking, information is continuously leaked to the hacker. In addition, there is a possibility that hackers can use the email recipient’s computer as a means of attack in the future.

Moon Jong-hyun, head of East Security ESRC Center, said, “The subtle and explicit cyber threat pretending to be a major government agency is actively progressing locally.”

“The level of cyber threats has also increased for each individual due to the trend of working from home due to the impact of Corona 19,” said Moon.

He continued, “We need more attention and preparedness for the latest threat cases so that we are not exposed to the latest threats by being fooled by the elaborate and intelligently manipulated source impersonation attack method.” Because of this, it is imperative that related organizations seek and approach solutions together in terms of national cybersecurity.”

Email impersonation screen for’Monthly North Korean Trends’ by Ministry of Unification. There is no actual file attached and there is a link (lower red box) to the malicious document. / Photo = Provided by East Security

On the other hand, it stands out that North Korean expressions were used among the emails used by hackers.

The file the hacker used as a malicious document is the’Analysis of the 8th Congress of the Korean Workers’ Party (2): Economic and Social and Cultural Fields’ by the Korea Institute for National Unification. However, on the hacking email screen sent by the hacker, it was marked as’Chosun Workers Party’ rather than’Chosun Workers Party’.

It looks like a hacker typing letters into an email and not using the proposition rule as usual.

In general, it is not easy to identify a hacker. However, experts comprehensively analyze the language used in a specific region, the usual habits that appear when coding, and the IP that was accidentally exposed to specify or infer the country or organization.


Source: DailyNK by www.dailynk.com.

*The article has been translated based on the content of DailyNK by www.dailynk.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!