There are North Koreans in the South Korean pantry
Kaspersky Lab's security research team has published its latest report on an active cyber espionage campaign, which primarily targets South Korean research centers.
The campaign, discovered by Kaspersky Lab researchers, is called Kimsuky, a very limited and highly targeted cybercrime campaign, thanks to the fact that the attackers spotted only 11 South Korean-based organizations and two other Chinese institutes, including the Korean Defense Research Institute. (KIDA), the South Korean Unification Ministry, a company called Hyundai Merchant Marine, and groups supporting Korean unification.
The earliest signs of the attack can be dated April 2013, 3, and the first Kimsuky Trojan virus appeared on May 5th. This simple spyware contains a number of basic coding errors and handles communication with infected machines through a free web-based e-mail server (mail.bg) in Bulgaria.
Although the initial implementation and distribution mechanism is not yet known, Kaspersky Lab researchers believe that the Kimsuky virus is likely to be spread through phishing emails, which have the following espionage features: keylogger, directory list capture, remote access and HWP file theft. . Attackers use a modified version of the TeamViewer program for remote access as a backdoor to steal files on infected machines.
Kaspersky Lab's experts have found clues that the attackers are likely to be North Koreans. The virus-targeted profiles speak for themselves: first, they targeted South Korean universities that are conducting research in international relations, government defense policy, and examining groups supporting the merger of the national shipping company and Korea.
Second, the program code contains Korean words that include “attack” and “end”.
Thirdly, the two e-mail addresses to which bots send status reports and information about infected systems in mail attachments - [email protected] and [email protected] - registered under the names beginning with 'kim': 'kimsukyang' and 'Kim asdfa'.
Although the registered data does not contain factual information about the attackers, the source of their IP address matches the profile: all 10 IP addresses belong to the network of Jilin and Liaoning provinces in China. These ISP networks are known to be available in some areas of North Korea.
