This article was originally published by Radio Free Asia and is reprinted with permission.
Suspected North Korean hackers are impersonating journalists in emails to target experts on North Korea issues in phishing attacks, a collection of emails obtained by Radio Free Asia showed.
The 12 suspicious emails were forwarded to RFA’s Korean Service by the experts who received them. RFA was not able to confirm the identity of any of the senders of the emails, nor their connection with the North Korean government.
However, they all exhibit signs that strongly suggest that they were phishing attempts by agents working for Pyongyang in order to gain access to intelligence or to install malware on an expert’s device.
In March, RFA reported that Google Cloud’s cybersecurity subsidiary firm Mandiant classified a group of hackers using the same or similar methods as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime,” and named that group, which it had been monitoring since 2018, as APT43.
In most of the cases RFA compiled, the email comes from an address on a free email platform like gmail or aol, but the sender does enough research into the journalist so as to plausibly pass themselves off as that person.
The apparent hackers attempted to pass themselves off as actual reporters for organizations like Kyodo News, Radio Free Asia, Voice of America (VOA) and others. They asked experts to answer a series of questions or attempted to entice them into clicking malicious links or downloading malicious files.
In one of the 12 emails, the attacker impersonated Shin Jin-woo, a reporter at South Korea’s Dong-A Ilbo newspaper. “Shin” sent a list of specific North Korea policy questions to an expert at the Washington-based Brookings Institution, but used the expert’s email address from a university. The impersonator sent the email from [email protected], which is similar to the real Shin’s [email protected] address.
In addition, “Shin” offered the expert US$200 for his comments. It’s not normal practice for reporters to offer sources payment for information.
From: 신 진우 <[email protected]>
To: [email redacted]
Sent: Fri, Mar 4, 2022 at 2:57 AM
Subject: Re: [urgent] Interview request form reporter of Dong-A Ilbo, the largest newspaper in Korea
I am Shin Jin-woo, a reporter working for Dong-A Ilbo, the largest newspaper in Korea.
I am the head of the foreign affairs team in the political department. Dong-A Ilbo has the most subscribers in Korea. It is also the oldest media company in Korea in 100 years.
I am sure that this interview is a good opportunity to inform Korean readers of your idea. I know that you are very busy. However, I would appreciate it if you could take a moment to answer. If you answer even some of the questions below, I expect it to be a good opportunity to convey your thoughts to the Korean people. If you do not want to be released your name, we could publish your paper anonymously. We’ll be pleased to offer an honorarium of $200 for your participation.
The questionnaire is as follows. Please reply. thank you.
The goal of the email was to get the expert to answer specific North Korea policy questions as a means to gather intelligence on how the United States might respond to developments in the region.
The expert initially responded to “Shin,” saying he could answer a few of the questions, and asked him to communicate through his Brookings Institution email address. “Shin” replied with another email saying that he had a new list of questions that could be accessed if the expert clicked a link.
The link contained malware that could have compromised the expert’s device, allowing “Shin” to gain access to sensitive information.
In another example, an apparent hacker impersonated the friend of a RFA Korean Service reporter, even sending the phishing email to the reporter’s personal email address.
The imposter asked the reporter to download a .zip file containing the malware, claiming it was video of a lecture featuring North Korean escapees.
Translated from Korean:
From: [name redacted] <[email protected]>
Date: Tue, Jun 6, 2023, 4:17 AM
Subject: Sir~ it’s [name redacted]^^
Sir~ How are you doing?
A friend of mine was in this lecture given by North Korean defectors
It would be great if you could take a look at the lecture agenda and give me some good opinions.
Thanks a bunch^^
Attachment: North Korean defectors lecture.zip
The apparent hacker impersonated a real person that the reporter knew, and sent the email from a free email address, from South Korean online service provider Naver, to the reporter’s personal Gmail address.
The email had a very casual tone, complete with the ^^ text emoticon commonly used in Korean text messages to indicate a smiling face.
Falling for it
In one of the earliest examples, RFA Korean Service reporter Han Dukin received an email from a former senior state department official, asking him if he had received the answers to a list of questions that Han had sent to him about a week earlier.
But Han had never sent any questions.
The expert had actually answered the questions asked by Han’s imposter. After no RFA report used his answers, he contacted the real Han to make sure he had received the answers. It was only then that he realized he had been tricked.
The strategies used in RFA’s collection of suspicious emails is consistent with the typical method used by North Korean hackers as described by Asheer Malhotra, a threat researcher at cybersecurity firm Cisco Talos.
“Once the target starts engaging with them, … they will slowly and slowly begin conversations with you in an effort to establish trust,” said Malhotra.
“And once you’ve spoken to somebody for a few weeks you’ve exchanged more than a few emails with them, there is an inherent trust that starts building up and they will exploit or leverage that trust to eventually send you a malware sample,” he said.
“And they’ll be like, hey, this is a report. I took your findings, and I compiled it into a document. Can you please open this up and review it for me?”
The emails contain techniques that are similar to those employed by APT43, Michael Barnhart, a senior analyst at Mandiant, told RFA.
Barnhart said that the goal of the North Korean hackers is not to compromise an entire organization.
“They don’t want to attack RFA or a crypto exchange; they would rather go for the personal accounts because when you do the personal accounts, it [lowers] the level of suspicion,” he said. “If they come for an organization, law enforcement might get involved, whereas if they go for individual people, a lot of times they don’t report that to law enforcement.”