RUSSIAN SECURITY OUTFIT Kaspersky Lab has revealed that it has been following a sustained attack on South Korea by hackers seemingly based in North Korea.
The Kimsuky Trojan has made targeted attacks on 11 organisations in South Korea and two others in China, including Korean national security think tank The Sejong Institute, the Korea Institute for Defence Analyses (KIDA), South Korea’s Ministry of Unification, Hyundai Merchant Marine and The Supporters of Korean Unification.
As if this wasn’t enough to give Kaspersky a good idea who is behind the attacks, the fact that Hagul Word Processor (.hwp) files have been targeted should seal the deal. Hagul is the most common office suite used by Korean local government offices.
Other spying sneakiness attributes have included keystroke logging, directory listing collection and remote access to infected terminals. However, there's a program in the Trojan that is designed to steal .hwp files, suggesting that document theft is the primary motivation for the attacks.
All of this purloined data is sent via a web server in Bulgaria to IP addresses in China assigned to a range commonly used by the Democratic People’s Republic. At this point it is unclear how the Trojan has been spread, but phishing emails and a doctored version of remote access application Teamviewer seem to be the likely suspects.
Two Hotmail addresses have been linked to the attacks - both registered to users with the surname "Kim", the most common surname in Korea - leading us to the same conclusion as if the surname had been "Evans" that it would suggest the hackers were probably Welsh.
Futhermore, the malware, which contains several coding flaws, only disables security protocols from AhnLab, an anti-malware company from - you guessed it - South Korea.
The profile that Kaspersky has built of these hackers suggests that they are not the most sophisticated espionage criminals, and brings to mind Peter Sellers in a remake of War Games.
Kaspersky Lab has been keen to point out that its security products neutralise the Kimsuky Trojan, but it stopped short of offering to supply free copies to everyone in Seoul. µ
Sign up for INQbot – a weekly roundup of the best from the INQ