A cyber “spear phishing” campaign believed to be run by North Korean intelligence operatives who impersonate American journalists and South Korean diplomats on email with the goal of hacking U.S.-based North Korea analysts and human rights advocates has grown increasingly brazen in recent months, according to sources familiar with the campaign.
Emanating from networks in several locations around the world, the campaign has grown more aggressive and sophisticated during a period in which North Korean leader Kim Jong-un has faced heightened difficulties at home and as his younger sister, Kim Yo-jong, has emerged as an influential power player in the secretive Pyongyang regime.
Kim Yo-jong made headlines last month by threatening military action against anyone engaging in propaganda against North Korea. Meanwhile, the clandestine cybercampaign had gained speed and was targeting American think tanks and rights groups whose work focuses on exposing Pyongyang’s nuclear programs and authoritarianism.
Her rising prominence was on display again Friday when the North’s strictly controlled state media cited her on the delicate question of the state of nuclear talks with South Korea and the U.S.
Ms. Kim dismissed what she said was a “spate of strange signals” from the Trump administration about the prospect for further talks. She also said Pyongyang would demand major concessions from Washington and that a face-to-face meeting would “only be used as boring boasting coming from someone’s pride.”
Showing no hesitation about speaking for her brother, she added, “It is still my personal opinion; however, I doubt that things like the [North Korean-U.S.] summit talks would happen this year.”
Among those targeted in the cyber spear phishing campaign is Suzanne Scholte, an activist with the Washington-based North Korea Freedom Coalition. She also chairs Free North Korea Radio, a nonprofit that has been helping North Korean defectors pipe shortwave news broadcasts and other messages into North Korea from offices in South Korea since 2006.
Ms. Scholte became aware of attempts to hack her email in April after receiving a message claiming to be from Uri Friedman, a prominent national security journalist with The Atlantic and the Atlantic Council, seeking her comment for an article.
“When I responded to the email, my message bounced back,” she told The Washington Times. She said she realized she had become the victim of a cyberoperation after phoning Mr. Friedman, who told her he had not written any email to her.
Cybersecurity experts say phishing attempts often involve emails that are designed to dupe the target into a trusting conversation or information exchange before tricking them into clicking on corrupted links or large malware files.
Ms. Scholte said she subsequently received a message claiming to be from a South Korean diplomat friend who wanted to share a “link” to a document purporting to be about human rights violations by the Kim regime.
After phoning the diplomat friend and learning that they too had not sent the email, Ms. Scholte said, she came upon information that the phishing attempts were likely engineered by North Korean intelligence seeking to undermine her work.
North Korean cyberwar operations have been well known to U.S. intelligence since at least 2014, when Pyongyang was blamed for a massive hack of confidential data from Sony Pictures while the studio was preparing to release a movie that angered and mocked Mr. Kim.
Analysts say the sophisticated targeting of individuals like Ms. Scholte points to a more intensive phase.
Recent phishing attacks have impersonated a range of high-profile journalists. A recent article by the North Korea-focused NK News said the efforts are likely designed to compromise South Korean and Western public and private institutions as well as individuals who have influence on how the world interprets North Korea.
Among those who have been impersonated on email are Jenny Town, deputy director of the 38 North website dedicated to North Korea analysis, Washington Post reporter Min Joo Kim and NK News CEO Chad O’Carroll, the article said.
NK News maintained that the culprits behind the campaign were not known. However, sources told The Washington Times that U.S. intelligence officials believe at least some of the hacking is traceable to North Korean operatives on a mission to disrupt people suspected of engaging in “psychological warfare” against the Kim regime.
This includes academics, analysts and activists within U.S. civil society, as well as journalists and South Korean government officials. But proving with certainty the origins of the campaign is difficult because the suspect emails are originating from a range of locations outside North Korea, including networks in China and Southeast Asia.
The campaign is likely part of a wider North Korean information warfare operation and may be tied to the rise of Kim Yo-jong within the Kim regime since her brother’s unexplained roughly monthlong disappearance from public view in April amid a suspected health scare.
New twist in Pyongyang
Kim Yo-jong drew global attention last month with an angry tirade against South Korea for failing to stop activists from spreading anti-Pyongyang propaganda across the North-South divide on message-laden balloons.
Although the spear phishing has targeted a range of individuals, Ms. Scholte’s case stands out because she has been directly involved in the broadcasting and balloon-messaging efforts. She has worked for nearly two decades to support defectors’ efforts to get information into North Korea’s notoriously closed information space.
“It’s not surprising that she would have been targeted,” said David Maxwell, a retired Special Forces colonel and North Korea expert with the Foundation for Defense of Democracies. “I think the regime is focused on her organization because of the radio broadcasts.
“Shortwave radio broadcasts are one of the most effective ways to get outside information into North Korea, and the information has an effect,” Mr. Maxwell told The Times. “The regime wants to stop the flow of any information that has the potential to undermine the legitimacy of Kim Jong-un in the eyes of the North Korean people or puts the regime at risk.”
Serious health issues for national leaders are the kinds of things totalitarian regimes are desperate to conceal from their own people.
“If [Mr. Kim] is sick,” said Mr. Maxwell, “they certainly don’t want information about that proliferating into North Korea because it undermines his stature, and that could be destabilizing.”
Ms. Scholte said she has received death threat emails in the past but believes the more recent efforts against her stem from “our success in getting information into North Korea. They feel they have to stop it.”
She expressed frustration that the government of South Korean President Moon Jae-in has not done more to stand up against North Korea’s campaign. Mr. Moon has long been a strong supporter of detente and expanded contacts on the bitterly divided Korean Peninsula.
Seoul’s Unification Ministry recently called for the banning of all “escapee information operations,” a reference to defector efforts to send messages back to the North. Mr. Maxwell said the ministry has also called on the South Korean National Assembly to enact a law making it illegal for anyone to float balloons into the North.
“It is as if the North Koreans actually have the South Korean government doing their bidding for them,” Ms. Scholte said.
Funded by donations
North Korea’s recent operations also coincide with uncertainty over the Trump administration’s commitment to its “maximum pressure” policy of sanctions and other actions against Pyongyang. Denuclearization talks with the Kim regime have made little progress since early 2019.
Late last year, the Foundation for Defense of Democracies issued a report suggesting that the U.S. was quietly shying away from more aggressive pressure that might lead to a challenge of the Kim regime from within and kill hopes for a diplomatic breakthrough.
The U.S. and allies, the report said, should “integrate all tools of national power, including diplomacy, military, cyber, sanctions, and information and influence activities” to change the internal calculus of the regime in Pyongyang and squeeze the North Koreans toward more productive nuclear diplomacy.
Mr. Maxwell told The Times in an interview that Washington is “missing an opportunity right now to really sustain maximum pressure through the use of information and should be doing more to support nongovernment organizations in their effective efforts to get information into North Korea.”
The battle to sustain such operations is familiar for Ms. Scholte, whose Free North Korea Radio operation has received on-again, off-again U.S. government funding but is currently financed entirely by private donations.
The organization and a partner outfit called the Defense Forum Foundation, which Ms. Scholte also chairs, received grant money from the State Department’s bureau of democracy human rights and labor during the George W. Bush administration, but she said the funding was held back during the Obama years.
Free North Korea Radio was granted funding again after Mr. Trump took office, only to be cut off again in 2019. Ms. Scholte said she was “totally devastated” by the news and the U.S. demand to prepare an entirely new funding grant.
“This meant the State Department was essentially shutting down Free North Korea Radio for at least six to eight months because the grant process takes that long,” she said.
A State Department spokesperson disputed that characterization and said Ms. Scholte’s organization never applied to have the grant renewed. “It is not accurate to state that the department rejected the renewal of the project, as no such request for additional funding was submitted,” the spokesperson said.
Two notices posted by the department over the past year have sought grant applications from organizations capable of “producing and transmitting radio broadcasts into North Korea,” and a spokesperson told The Times that one of the department’s “main programming lines of effort is to increase” such broadcasts.
Ms. Scholte questioned that claim, saying the department funding mechanism has become so bungled that she has decided to push Free North Korea Radio forward without it. “What is State Department grant money anyway? It’s money from American taxpayers. Why not reach out to Americans directly, because what we are doing is exactly the kind of thing they would want to support?” she said.
The service’s funders, she added, now include “a Missouri farm couple, a Florida businesswoman, an Illinois web designer, a retired Pennsylvania teacher, and a handful of churches in California, Illinois, South Carolina and Virginia.”
“We are confident,” she said, “that as more Americans hear what we are doing they will partner with us, too.”