2 min read

Hackers pose as officials to steal secrets and cryptocurrency for North Korea


November 23, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Hackers pose as officials to steal secrets and cryptocurrency for North Korea

A hacking gang has been accused of impersonating South Korean officials and journalists in a plot to steal cryptocurrency for the North Korean regime.

According to local media reports, South Korea's police agency has confirmed that between March and October 2023 a total of 1,468 people fell victim to the campaign which attempted to install malware onto their computers.

Amongst the victims were 57 current or retired government officials working in the fields of diplomacy, military, and national security.

Kimsuky, a state-sponsored hacking group which has targeted organisations around the world in an attempt to steal intelligence and money for the North Korean government, is thought to be behind the wave of attacks which attempted to steal victims personal information, IDs, and passwords, as well as cryptocurrency.

According to the Korean National Police Agency (KNPA), the statistics show an almost 30-fold increase in the number of email accounts hijacked by Kimsuky over the previous year.  This, according to the authorities, reflects that the hacking group has broadened out its attacks to the broader general public, which were previously mostly targeted against diplomats and security experts.

Sending boobytrapped emails to its intended victims in the latest attacks, Kimsuky disguised itself as various government organisations, research institutes, and journalists.

Social engineering tricks are used in the emails to lure unwary recipients into clicking on malicious links, or opening the attached file, which could result in victims' computers being infected with malware.

In the example below, the malicious email pretends to offer a document issued by South Korea's health insurance service but instead directs users to a phishing website.

Kimsuky (which is also sometimes known as Thallium, Black Banshee or Velvetchollima) has been active since at least 2012, has previously been reported as targeting members of the United Nations Security Council and South Korea's Atomic Energy Research Institute.

Earlier this year, the United States and South Korea issued a joint cybersecurity advisory about the Kimsuky hacking gang, and South Korea claimed that the group had "been, directly or indirectly, engaged in North Korea's so-called 'satellite' development by stealing cutting-edge technologies on weapons development, satellite and space."

Raising tensions in the region, North Korea was reported yesterday to have successfully launched its first spy satellite into orbit.

Individuals and organisations who believe they might be at risk from such attacks would be wise to not only run a good up-to-date anti-virus product, but also ensure that they have enabled multi-factor authentication to harden their accounts, are using unique, hard-to-crack passwords, and have warned users of the dangers of opening suspicious documents.

Last month, authorities in the United States and South Korea warned companies of the risk that they might have inadvertently recruited North Korean spies to work remotely for their IT department - providing yet another vector for hackers to break into organisations.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like