[Weekend Briefing] North Korean hackers’ espionage against China

By Dain Oh, The Readable
Mar. 17, 2023 7:43PM GMT+9

“Weekend Briefing” is a weekly newsletter that is sent to The Readable’s subscribers every Friday. Cybersecurity journalists for The Readable carefully select important news stories from the previous week and deliver them in a compact form. Topics encompass cybercrime, geopolitics, and privacy. There are no costs involved with a subscription, and some content, such as the monthly ransomware index report, is only available to those who subscribe to our newsletters.


Hello! This is Dain Oh in South Korea. North Korean hackers have been active not only in South Korea, but also in their ally nation China. Two notable reports on cybersecurity came out this week, one from a Chinese company and one from Microsoft. Russia is ramping up their influence operation by leveraging multiple tactics, including new ransomware and cyber espionage attacks. Fraud has been a disturbing problem in South Korea, but the financial watchdog is responding to this issue. At the bottom of this briefing, we have also included one news article which covers a security controversy involving the most popular messaging app in Korea. Have a great weekend!

1. Chinese researchers reveal North Korean hackers stealing information from China

Chinese cybersecurity firm Qianxin discovered activities hostile to China, which were carried out by state-sponsored hacking groups of North Korea, according to a report by Radio Free Asia (RFA) on Wednesday. Referring to an annual report published by the firm, RFA stated that North Korea appears to recklessly make hacking attempts even against friendly nations. Qianxin investigated malicious campaigns in China, particularly regarding advanced persistent threat (APT), based on 331 reports which amounted to 137 hacking groups. Lazarus and Kimsuky, the two APT groups backed by the North Korean regime, were the most mentioned among these groups, respectively recording 8.7% and 5.0% of the entire volume. Qianxin also disclosed a hacking technique of APT37, another cybercrime gang sponsored by Pyongyang. APT37 conducted phishing attacks combined with Trojan horses, targeting foreigners who resided in the southeastern part of China with an aim to steal information from the victims’ computers, the researchers warned.

2. North Korea made $2.3 billion worth of foreign currency via cybercrimes and illicit exports

South Korean local news agency Yonhap reported on Monday that the North Korean government raised $2.3 billion worth of foreign currencies last year through hacking attacks and illegal exportation. The number of the illicit assets obtained by the Pyongyang regime was confirmed by a South Korean government official who remained anonymous for the reporting. The news agency wrote that the unlawful amount obtained by North Korea reached the highest level since 2018, the year that economic sanctions on North Korea went into full swing. “This means that North Korea’s cyberattacks are undermining international sanctions on the country,” Yonhap quoted the official. “Last year, North Korea executed around 70 missile test launches, including 8 intercontinental ballistic missile (ICBM) tests. For North Korea, cybercrime is a wellspring that never runs dry,” the agency reported in the official’s words. According to the report, North Korea further made profits by smuggling out coal and gold as well as collecting cash from workers that the government had dispatched to China and Russia.

3. Microsoft details Russian cyberattacks targeting European countries

The Microsoft Threat Intelligence Center (MSTIC) published a report on Wednesday describing malicious cyber activities which were extensively implemented by Russian state-sponsored hackers. While increasing cyber espionage against European nations and maintaining wiper attacks in Ukraine, Russian hackers also developed new ransomware attacks, the researchers found. “As of late November 2022, Microsoft and other security firms identified a new form of ransomware, called ‘Sullivan,’ deployed against Ukrainian targets, in addition to the ‘Prestige’ ransomware Russia deployed in Ukraine and Poland in October 2022,” wrote Clint Watts, a general manager of the Digital Threat Analysis Center, through the company’s blog. The report summarized its recent findings by highlighting three main trends. First, Russia uses ransomware as a deniable destructive weapon, just like a trial balloon. Second, Russia gains initial access to their targets by utilizing various methods, such as the exploitation of internet-connected applications, backdoored software, and spear-phishing. Finally, Russia leverages hacktivist groups to expand their cyber presence, distorting real voices in international society.

4. Financial watchdog in South Korea warns fraud pilfering credit card information

The Financial Supervisory Service in South Korea issued a consumer alert on Monday, saying that civil complaints are surging regarding the abuse of credit card information leaked through cyberattacks and circulated through the dark web. In a press release, the financial watchdog stated that they received 303 complaints in the fourth quarter of last year, a three-fold increase in volume compared to the previous quarter, which recorded 99 complaints. According to the institution, criminals insert payment popups into vulnerable online shopping websites in order to extract credit card information from consumers. Fake applications were also discovered which induced consumers to install malicious software and enter their payment information. “The entire information on credit cards is never asked for on legitimate online shopping websites and application markets,” emphasized the alert. “It is recommended to use a virtual card which is valid only temporarily when making payments to foreign websites and not to save payment information in webpages,” it added.

Designed by Sangseon Kim, The Readable

KakaoTalk, a mobile  messaging application used by almost the entire population of South Korea, has been wrapped up in a massive controversy over personal data breaches. Its open chat rooms, which are supposed to protect the anonymity of participants, allegedly leak breadcrumbs out of users’ private information, providing malicious actors with opportunities to identify users and exploit the data for fraudulent activities. On March 12, a vendor appeared on several marketing websites and social media channels, claiming in their advertisements that they can extract databases from open chat rooms operating on KakaoTalk. The databases will include the real names and phone numbers of the members of open chat rooms once a request is received, the vendor insisted. They further promoted sales, saying that they filter ghost accounts and foreign numbers as well as offering free tests for first-time buyers. Open chat is a service that allows users to share their thoughts and information without revealing their identities. To read the original reporting, click here.

hello@thereadable.co

The cover image of this article was designed by Areum Hwang.


Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.