North's hackers pose as officials, journalists to steal info and crypto

North Korean hackers posing as South Korean governmental agencies and journalists stole personal information to pilfer cryptocurrency, according to South Korea’s National Police Agency on Tuesday.

North Korea's state-backed hackers use proxy servers to send scam emails to Korean portal site users. This scheme resulted in the theft of personal data and information from 1,468 victims. [NATIONAL POLICE AGENCY]

North Korean hackers posing as South Korean governmental agencies and journalists stole personal information to pilfer cryptocurrency, according to South Korea’s National Police Agency on Tuesday.

The police confirmed Tuesday that the hackers stole the information of 1,468 victims between March and October, including 57 incumbent or retired government officials in diplomacy, military and national security.

The other 1,411 were working in the private sector.

North has engaged in email phishing in recent years. Police say the scale and scope of North Korea's phishing have grown this year.

The phishing emails pretended to be sent from the South Korean National Police Agency, National Health Insurance Service, National Pension Service and National Tax Service.

The hackers used clickbait in their email, adding words like “notice” or “questionnaire.”

Once the recipient opened the scam email or attached file, malware was installed automatically on the victim's computer.

Scam email sent to a user using Korean portal website, Naver. The email pretends to have electronic document issued by the National Health Insurance Service. The green-colored confirmation button directs the user to the phishing page. [NATIONAL POLICE AGENCY]

The malware created channels to steal personal data and information. The emails also included embedded links to fake websites that stole personal information.

The police believe the illegal cyber activity was aimed at stealing cryptocurrency.

The hackers expropriated 19 victims’ user IDs and profiles to log in to their cryptocurrency trading accounts. They also executed crypto mining programs on more than 147 proxy servers they seized.

Last year, they stripped virtual assets by distributing ransomware that coerced victims to pay money and valuables to regain their property.

Police shut down 42 phishing websites managed by North Korean hacking groups through coordination with the Korea Internet & Security Agency to prevent further losses. Also, the police will share the list of servers the North Korean hackers used with the government’s intelligence and cyber-related authorities.

“The police will work closely with relevant institutions and agencies to continuously track down North Korea’s cyber attacks and breaches to prevent losses,” an official from the police agency said.

National Police Agency's officer gives a briefing on scam emails sent from North Korea at the National Office of Investigation in Seodaemun District, western Seoul on Tuesday. [YONHAP]

North Korean hackers are not first-time offenders.

North Korean hackers sent emails last May impersonating an assistant of Rep. Tae Yong-ho, a lawmaker of the conservative People Power Party who was a North Korean diplomat before he defected to the South.

In the faked emails, the hackers pretended to represent the Korea National Diplomatic Academy, a state-run institution that trains Korean diplomats. On some occasions, they took on identities of reporters covering then President-elect Yoon Suk Yeol's transition committee and sent scam emails to military experts.

South Korea sanctioned North Korea’s state-backed hacking group “Kimsuky,” believed to be behind significant cyberattacks and the theft of satellite technology worldwide. South Korea became the first country in the world to sanction Kimsuky in June.

According to a joint U.S.-South Korean advisory, Kimsuky operates under North Korea’s Reconnaissance General Bureau, a military organization that functions as the country's premier foreign intelligence agency.

To prevent data leakage, users should change their passwords periodically and use two-step verification measures. Also, blocking foreign IP addresses can reduce the risk of being hacked.

BY LEE YOUNG-KEUN, LEE SOO-JUNG [lee.soojung1@joongang.co.kr]