A North Korean state-sponsored hacking group compromised more than 1,400 individuals through an email phishing attack and then used the stolen credentials to steal digital assets, according to the South Korean police on Wednesday.
On November 22, the Korean National Police Agency (KNPA) disclosed the result of their ongoing investigation into a North Korean hacking group widely known as ‘Kimsuky.’ The South Korean police have been closely tracking the cybercriminals since they discovered, in December of last year, that they were behind the email phishing attack that targeted 49 experts in the fields of diplomacy, unification, national security, and defense.
The cybercriminals sent the malicious emails in April, May, and October of last year with the aim of collecting intelligence. In order to achieve their goals, the hackers posed as journalists and government employees—including posing as secretaries from the office of South Korea’s first elected North Korean-defector lawmaker Tae Yong-ho.
The South Korean police stated that the cybercriminals continued their hacking tactics this year, gaining unauthorized access to the credentials of 57 experts. Furthermore, they discovered a prominent development in the hackers’ tactics, as they uncovered that 1,411 civilians had also fallen victim to the email phishing attack.
The hacking group sent compromised emails while posing as legitimate government agencies, such as the National Tax Service or the National Health Insurance Service. They included a malicious link inside the forged notification letters which redirects the targets to a fake website created by the cybercriminals to collect personal information. The cybercriminals tried to conceal their identity by using 576 servers based in 43 different countries.
The KNPA stated that the North Korean hacking group is seeking to enlarge its scope to entrap a wider range of victims in order to advance their project of stealing cryptocurrencies. The police discovered that the cybercriminals tried to extort digital assets from 19 victims from whom they gained credentials through email phishing attacks. The attackers obtained unauthorized access to the targets’ cryptocurrency exchange accounts but failed to fully access them, being unable to pass through the two-factor authentication process. After a person attempting to access the accounts enters the initial password, the two-factor authentication system then requires him or her to enter an additional code, one generally sent as a smartphone message.
The South Korean police also discovered that the attackers secretly mined cryptocurrency using 147 servers to which they had gained access for the purpose of conducting illicit activity. In total, the cybercriminals succeeded in collecting less than 1 million won ($800) in return for their efforts.
“We have not found that there has been a leak of confidential information through the email phishing attacks,” said the chief of the Cyber Terror Investigation Unit of the KNPA to The Readable. The chief confirmed that the hackers had indeed abused the South Korean servers to mine cryptocurrencies illegally. However, he went on to explain that his office could disclose no further information regarding the mining—such as the number or exact location of affected servers—as the case is still undergoing investigation.
