An alleged group of hackers spying for the Kim Jong-un regime is using a new method to obtain information: sending emails to experts, posing as other people, and asking for their opinions or articles on issues of interest to Pyongyang, such as how China will react, if North Korea conducts a nuclear test, Reuters reports.

a hackerPhoto: Framestock Footage, Dreamstime.com

When Daniel DePetris, a foreign policy analyst in the US, received an email in October from the director of the think tank 38 North, who commissioned the article, it seemed like a perfectly normal course of action. But it was not so. The sender was actually a suspected North Korean spy seeking information. Instead of infecting her computer and stealing sensitive data, as hackers usually do, the sender of the email appears to have tried something different: asking her opinion on North Korean security issues while posing as the director of 38 North, Jenny Town.

“I realized something was wrong after I contacted the person in question to ask more questions and found out that there was actually no request for the article, and what’s more, that person was, in his turn, the target,” Daniel DePetris told Reuters. meaning Jenny Town. “So I realized pretty quickly that this was a massive campaign,” DePetris added.

The email obtained by the expert is part of a new, previously unknown campaign by an alleged group of North Korean hackers, cyber security experts believe.

WHO IS TALIUS

The hacker group, which experts have identified as Thallium and Kimsuky, has long used a technique called “phishing,” which consists of sending an email purporting to be from a reputable organization and tricking the target into providing passwords or clicking on attachments or links that download malicious content. Software. However, it now appears that hackers are simply asking researchers or other experts to give them their opinions or write articles.

Topics of interest included China’s response to North Korea’s new nuclear test and whether a more “quiet” approach to North Korean “aggression” could be achieved, according to emails analyzed by Reuters.

“Attackers are very successful using this very, very simple method,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who says the new tactic first appeared in January. “The attackers completely changed the process,” says the expert. “The attackers are getting the information directly from the source, if you will, and they don’t have to sit and make interpretations because they’re getting it directly from the expert,” Elliott said.

MSTIC identified “several” analysts specializing in North Korea who provided information to the alleged attacker’s account, codenamed Thallium.

A 2020 report by the US government’s cybersecurity agencies stated that Thallium has been in operation since 2012 and “likely to have been tasked with a global intelligence-gathering mission by the North Korean regime.” According to Microsoft, Thallium has since become a target for government officials, think tanks, academics and human rights organizations.

North Korean hackers are known for attacks that have brought them millions of dollars, such as Sony Pictures over a film deemed offensive to leader Kim Jong-un. They also stole data from pharmaceutical or defense companies and foreign governments.

In other attacks, Thallium and other hackers spent weeks or even months building a relationship of trust with a target before sending them malware, said Saher Nauman, principal intelligence analyst at BAE Systems Applied Intelligence.

A SURREAL SITUATION

Now, Microsoft says, the group is targeting experts and analysts, in some cases no longer sending malicious files or links, even if victims respond. This tactic can be faster than hacking into someone’s account and looking through their emails. In addition, it bypasses traditional technical security programs that scan and flag messages with malicious elements. The method allows spies to gain direct access to expert opinions, Elliott explained.

“It’s very difficult for us as defense attorneys to stop these emails,” he said, adding that at best the recipient can tell something is wrong.

Jenny Town said some of the messages purporting to be from her used an email address ending in “.live” instead of her official account ending in “.org,” but otherwise copied her entire signature. One day, she said, something surreal happened to her: she was involved in an email exchange in which the alleged attacker, posing as her, included her in a reply.

DePetris, a member of Defense Priorities and a columnist for several newspapers, said the emails he received were written as if a researcher was asking for help presenting an article or comments on a project. “They were quite sophisticated, with think tank logos attached to the letter to make it look like the request was official,” he said.

About three weeks after receiving the fake email from 38 North, another hacker impersonated him by sending emails to other people to review the project, DePetris said. That email, which DePetris showed to Reuters, offered $300 for an opinion on North Korea’s draft nuclear program and asked for recommendations for other possible experts to review.

FASTER AND MORE PRACTICAL INFORMATION COLLECTION TECHNIQUES

Impersonating someone else is a common method for spies around the world, but as North Korea’s isolation has deepened due to sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become heavily reliant on cyber campaigns, a security source in Seoul told Reuters.

In a March 2022 report, an expert panel investigating how North Korea evades UN sanctions included Thallium’s efforts as activities that “constitute espionage because they are intended to inform and assist” the country in evading sanctions.

Jenny Towne said that in some cases, the attackers ordered work and analysts provided full reports or previews of drafts before realizing what had happened.

DePetris said the hackers asked him about issues he was already working on, including Japan’s response to North Korea’s military activities.

Another email, purportedly sent by a reporter for the Japanese news agency Kyodo, asked a member of the 38 North team how he thought the war in Ukraine had affected North Korea’s thinking and asked questions about the policies of the US, China and Russia.

“We can only assume that the North Koreans are trying to get honest opinions from analysts to better understand US policy toward North Korea and where it might be headed,” DePetris concluded.

(Source: news.ro / Photo source: Framestock Footages, Dreamstime.co)