North Korean hackers believed to be behind phishing scheme targeting security experts

A Pyongyang-backed hacking group is believed to be behind an email phishing scheme that targeted South Korean security experts on three occasions earlier this year, according to police Sunday.

Police released a screenshot of an e-mail from a suspected Pyongyang-backed hacking group that impersonated a parliamentary aide working for People Power Party (PPP) Rep. Thae Yong-ho. Highlighted in red is the e-mail attachment that distributed ransomware rendering the victim's data and computer system inaccessible. [NATIONAL POLICE AGENCY]

A Pyongyang-backed hacking group is believed to be behind an email phishing scheme that targeted South Korean security experts on three occasions earlier this year, according to police Sunday.

The National Police Agency said that the senders of the emails, the first batch of which were sent out in April, impersonated members of the press pool who were covering President Yoon Suk-yeol’s transition committee at the time.

The recipients were mostly South Korean experts who study security, defense and inter-Korean matters.

The police agency said that the hacking group was likely behind similar email phishing campaigns in May and October which targeted a total of 892 experts.

The emails sent out in May were made to look like they had been written by People Power Party (PPP) Rep. Thae Yong-ho.

Speaking at a press conference at the National Assembly on Sunday, Thae said that he was taken aback by the meticulous nature of the phishing scheme.

“I was shocked by how the phishing emails sent by the North Koreans were so thorough,” Thae said, adding, “I thought it had been sent by my office, so I even asked one of my aides to check the message.”

Messages delivered to South Korean security experts in October were similarly disguised as having been sent by the Korean National Diplomatic Academy, a government institution that trains the nation’s diplomats and also serves as a think tank on foreign policy and national security.

Police said that approximately 49 people, mostly academics employed by civilian research institutes and universities, have been affected. None of the people who were deceived by the phishing scheme worked for state institutions, police added.

The victims were tricked into entering their email login details into a phishing website that was linked to the message. The hackers then monitored their online communications and stole documents and contacts, according to the police agency.

Police said the North Korean group also attached files to the emails that distributed ransomware rendering the victim’s data or computer networks inaccessible until they paid money.

The hacking group demanded cryptocurrency as payment from the victims to unlock their data.

The hackers concealed their IP addresses by re-routing their activities through 326 servers in 26 countries, police said.

Police believe that the hackers who targeted South Korean researchers and experts this past year are from “Kimsuky,” the Pyongyang-backed organization believed to be behind a cyber attack on Korea Hydro and Nuclear Power (KHNP), South Korea’s nuclear power operator, in 2014.

That cyber intrusion prompted a safety drill at nuclear plants around the country, even as Seoul officials said only noncritical data had been leaked and that the safety of the country’s nuclear facilities had not been compromised.

The attack also led then-President Park Geun-hye to order a thorough inspection of South Korea’s key infrastructure against what she called “cyber terrorism.”

At the time, investigators said hackers stole the personal details of 10,000 KHNP workers, designs and manuals for at least two nuclear reactors, electricity flow charts and estimates of local residents’ exposure to radiation.

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]