Kaspersky labs has claimed that it has managed to find incriminating evidence that point to espionage activities stemming from North Korean hackers targeting South Korean military and government establishments.
The antivirus company has revealed that it started seeing first instances of the attack back in April wherein a Trojan dubbed Kimsuky was used. According to the research carried out by Kaspersky, the Trojan was designed to allow its controllers to carry out espionage functions and included common functions such as keystroke logging, directory listing, remote access as well as capabilities to steal Hangul Word Processor (HWP) files.
The ability to steal HWP files is of vital importance here as it demonstrates a direct attempt to steal data from bespoke specifically designed for military and government purposes. South Korean agencies are known to use Hancom Office for their word processing needs and HWP is a common file format under this productivity software. Further research also indicates that the Trojan is capable of disabling security tools from AhnLab – a well-known security company from South Korea.
Kaspersky concluded that the attack originated from Korea based on three major findings. First is the profile of all the targets including the likes of South Korean universities known to conduct research on international affairs and producing defense policies for government; support groups for Korean unification; and a national shipping company.
The second clue is the discovery of two email addresses (firstname.lastname@example.org and email@example.com) to which all the stolen data was being forwarded. These email addresses were linked to a total of 10 originating IP addresses all of which belonged to two provinces in China known to be the bases for internet service providers which also provide services in North Korea. The final clue was the use of string patterns in North Korean dialect which meant “attack” and “completion”.
Kasperksy has classified this trojan as an advanced persistent threat (APT) and has carried out a detailed analysis of the Trojan which can be found here.