North Korean state-sponsored threat actors have been observed using ransomware against companies and organizations in neighboring South Korea for the first time, police have reported.
According to the South China Morning Post, the South Korean National Police Agency said threat actors targeted at least 893 foreign policy experts in the country, looking to steal their identity data and email lists.
The initial victims were mostly think tank experts and professors, who were targeted with phishing emails.
North Korea ransomware
The attackers would pose as a secretary from the office of Tae Yong-ho of the ruling People Power Party, or an official from the Korea National Diplomatic Academy. The emails, whose distribution started as early as April 2022, would either carry links to malicious websites or would carry malware as attachments.
According to the law enforcement organization’s findings, at least 49 people fell for the trick, and gave the attackers access to their email accounts and private, personal data.
That was enough to launch ransomware attacks against at least 13 companies (mostly online malls), with two companies already paying around 2.5 million won (just below $2,000) to regain access to their systems.
The quest to uncover exactly who is behind these attacks is underway, with police saying the threat actors used 326 “detour” servers in 26 countries to cover their tracks.
However they believe the group is most likely the same one that attacked Korea Hydro & Nuclear Power, back in 2014.
The main arguments that North Koreans are behind this campaign include the IP addresses used in the attack, their attempts to get the targets to sign into foreign websites, the use of North Korean diction, and the choice of targets (diplomacy experts, inter-Korean unification thinkers, national security and defense experts).
Here’s a rundown of the best firewalls today