A group of hackers using Internet addresses accessible from North Korea have been waging an “unsophisticated” campaign to spy on defense think tanks, government agencies and other security-related targets in South Korea, according to computer security researchers.
In a posting to its email list, a researcher from the Russian security outfit Kaspersky Lab analyzed malicious software, or malware, that he said had attacked 11 organizations based in South Korea.
“Taking into account the profiles of the targeted organizations — South Korean universities that conduct research on international affairs, produce defense policies for government, [a] national shipping company, support groups for Korean unification — one might easily suspect that the attackers might be from North Korea,” wrote Kaspersky Lab’s Dmitry Tarakanov.
Mr. Tarakanov, who dubbed the malware campaign “Kimsuky,” said it was designed to steal logins and passwords from infected machines and had been running since April.
He described the work of the hackers who wrote the malware “unsophisticated,” noting that it was possible to trace the malware’s communications back to its “master” computers via a Bulgarian public email server, and that the software design contained coding errors.
The attackers used 10 network addresses assigned to Internet service providers (ISPs) in Chinese provinces bordering North Korea, Mr. Tarakanov stated.
“Interestingly, the ISPs providing internet access in these provinces are also believed to maintain lines into North Korea,” he wrote, adding, “This geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea.”
South Korean intelligence officials have accused North Korea of being behind previous cyberattacks, including one on March 20 that wiped data from thousands of computers at South Korean banks and TV stations.
Seoul says Pyongyang’s cyberwarfare unit has as many as 3,000 trained hackers.