A series of targeted cyber-attacks that plagued South Korean former minister-level officials over the past year has been traced back to North Korean hacking group “Kimsuky,” the National Police Agency (NPA) revealed. The cyber espionage, primarily executed through phishing emails, led to a significant breach of personal information of these high-ranking individuals.
Kimsuky’s malicious activities predominantly targeted officials in South Korean diplomatic and security domains during the past year. According to the NPA, a deluge of phishing emails were sent to approximately 150 security and diplomatic specialists from April to July in the previous year.
Upon enticing these individuals to their phishing sites, the hackers successfully stole account information from nine victims. These victims include three former minister and vice minister-level officials, one current government official, four academics, and a reporter. This spear-phishing campaign underscored the hackers’ precise focus on infiltrating the systems of influential individuals, illuminating the strategic intent of these cyber-attacks.
In the aftermath of the hack, the group reportedly surveilled the victims’ email traffic in real-time for a period ranging between four and nine months. The stolen data mainly consisted of attached documents and address directories from the victims’ accounts. However, the NPA confirmed that no confidential materials were among the information seized by the hackers.
This is not the first time that Kimsuky has made headlines for its cyber-attacks. The group gained international infamy in 2014 following their hacking of Korea Hydro & Nuclear Power Co., a major South Korean power generation agency. In response to the group’s persistent nefarious activities, the South Korean government imposed sanctions on Kimsuky just last week.
The attribution of these attacks to Kimsuky came after a comprehensive analysis by the NPA and the National Intelligence Service. They scrutinized approximately 5,800 phishing emails, the internet protocol addresses of the hacking sources, and the establishment of waypoints.
The investigation also revealed that Kimsuky controlled a network of 138 servers, 36 of which were based in South Korea and 102 located internationally. The group’s sophisticated method involved hacking and laundering IP addresses prior to distributing the phishing emails. In addition, a new four-step attack method unique to North Korean hacking organizations, including Kimsuky, was identified.
The continuous cyber threats from Kimsuky shed light on the growing concern of cyber espionage in international relations. As countries ramp up their cybersecurity measures, the evolving tactics of hacking groups like Kimsuky emphasize the urgency and importance of developing sophisticated defense mechanisms against cyber threats.