A domestic research team's analysis suggests that the entity behind the hacking of South Korean government departments and domestic telecommunications companies is likely a Chinese organization, rather than the North Korean Reconnaissance General Bureau-affiliated hacker group "Kimsuky."
The Korea University Graduate School of Information Security's Hacking Response Technology Research Lab and the Digital Forensics Research Center announced these findings at a conference on the afternoon of the 22nd at Korea University's Jeong Un-oh IT Comprehensive Hall in Seongbuk-gu.
The research was conducted by analyzing publicly available materials related to the suspected Kimsuky hacking, published recently in the U.S. security magazine "Phrack." The researchers noted, "The published materials alone do not allow us to conclude that the attacks were carried out by North Korea," adding that "synthesizing hacker work patterns suggests a very high likelihood of being a Chinese individual who is familiar with Chinese and not accustomed to Korean." They said the hacking by this organization reportedly took place over about a year, from the second half of last year to the first half of this year.
They cited as evidence the inclusion of comments written in Chinese in the source code, similarities to encryption techniques frequently used by Chinese hacker groups, and the fact that hacking was not conducted during Chinese Labor Day, weekends, or the Dano holiday. They further added that the repeated access to the Chinese video site AcFun during leisure time is also a reason to suspect that the hacking was conducted by a Chinese hacker organization.
Professor Kim Hwi-gang from the Korea University Graduate School of Information Security said at the briefing, "While the behavior of the Kimsuky group, which is closely linked with China, cannot be completely ruled out as per the authors' inferences in 'Phrack,' the evidence is insufficient to decisively conclude North Korean involvement."
As a result of the analysis, signs of infiltration by hackers into the internal and external networks of major telecommunications companies such as LG Uplus and KT, as well as media outlets including Hankyoreh, were confirmed.
Additionally, attack logs were also found indicating phishing emails targeting users of Naver, Kakao, and Yonsei University email accounts. Records of phishing emails created for 226 email accounts belonging to institutions and corporations, including the prosecution, Korea Local Information Development Institute, Ringnet, the Counterintelligence Command, Raon and Raonsecure, Digital Trust Network, InBizNet, and OmniOne were also discovered. However, the researchers stated that it is unclear whether the SK Telecom SIM hacking incident in April was caused by these individuals.
Professor Kim emphasized the need for a thorough review of the overall security level in Korea. He stated, "The fact that breaches continued undetected for a long time by hackers with a high level of understanding of the Korean system has been revealed, and given that evidence has been confirmed that sensitive internal systems of corporations were accessed freely, existing detection systems must be enhanced."