Two prolific hacking groups assumed to be working on behalf of North Korea have launched a series of unusual attacks against journalists covering the DPRK, an NK News investigation in cooperation with cybersecurity firm Kaspersky found. 

The unsuccessful attacks stood out for the hackers’ persistence and tailored communications, aiming to trick NK News reporters into installing malware that could ultimately give the attackers full access to the company’s computer systems. 

“I’ve never seen this attack vector before,” Seongsu Park, a senior security researcher at Kaspersky, told NK News after analyzing emails, files and techniques used in the case. 

In one of several tailored attacks, hackers sent NK News multiple PDF documents they said required special software to open. To view the files, the attackers then asked their target to download a 7-zip archive with a custom PDF reader for Microsoft Windows from the popular cloud storage platform Mega.nz. 

The emails were sent from an account purporting to belong to the U.K. Ambassador to Pyongyang Colin Crooks. The hackers provided their target with a login that they claimed would give access to the ambassador’s personal cloud drive account. 

But after using the credentials to download the PDF reader that the hackers claimed was needed to view the documents, the application secretly fetched additional malware, according to Kaspersky. The software then installed code that collected technical details and could provide the group with full access to the computer. The PDFs did not contain any readable content.

Security researcher Park said the way the attackers used an open source PDF application to create a malicious version was notable. “The actor behind this attack adopts a new initial infection method,” he told NK News. “They compromised a public PDF reader and delivered it to the victim.” 

The conversation between the hackers and their target continued over almost a dozen emails, showing remarkable persistence but ultimately unraveling thanks in part to their awkward language. Kaspersky attributed the attack to Konni, a hacking group previously linked to the DPRK.

IDENTITY THEFT

In a second attack, hackers believed to be working for North Korea contacted NK News via email, impersonating DPRK expert Heungkyu Kim at South Korea’s Ajou University and claiming to be interested in discussing the recent restoration of inter-Korean communication lines. 

Over the course of the conversation, the attackers sent a password-protected document purporting to offer Kim’s opinion on the matter. The Microsoft Word file contained malicious macros that ultimately installed scripts to collect passwords and other information typed into the computer, Park explained. Those details would then be sent to a remote server that the hackers controlled.

Park said the code belonged to Kimsuky’s BabyShark malware, a set of malicious tools that uses Microsoft’s Visual Basic Script (VBS) to analyze and break into computers. Like in other cases, awkward Korean language used in the emails contributed to the discovery of the attack.

At the time of writing, no major antivirus software detected the malicious code in the documents, according to malware search engine VirusTotal. 

Before starting to impersonate diplomats and DPRK experts, hackers linked to North Korea set up social media accounts purporting to belong to reporters at South Korean broadcaster KBS in an unsuccessful attempt to breach computer systems at NK News. Another North Korean hacking group broke into social media accounts belonging to prominent defectors, which it then used to contact NK News reporters and researchers working on DPRK issues.  

Jeongmin Kim and Chad O’Carroll contributed research to this report. Edited by Arius Derr.