There are signs that a North Korea-backed hacking group carried out a destructive cyberattack that remotely controlled Android smartphones and PCs to wipe key data such as photos, documents, and contacts.
According to a threat analysis report from Genians Security Center on the 10th, the advanced persistent threat (APT) group "KONNI," known to be linked to the North Korea-backed threat groups Kimsuky or APT37, was found for the first time to have gone beyond stealing personal information to remotely factory reset Google Android-based smartphones, tablets, and PCs in Korea and delete personal data stored on devices without permission.
Genians' analysis of this KONNI APT campaign found that the hackers reset a domestic psychological counselor's smartphone and, through the stolen KakaoTalk account, sent a large number of malicious files to acquaintances disguised as a "stress relief program." On the 15th of the same month, the Android smartphone of a North Korean human rights activist was also reset, and a case occurred in which the stolen KakaoTalk account simultaneously spread the malicious file to 36 acquaintances.
Spreading malware through KakaoTalk messages was found to be a typical North Korea-origin hacking attack based on social engineering that impersonates trusted acquaintances.
According to the report, an unprecedented attack technique was additionally identified in this incident. After infiltrating victims' smartphones and PCs, the hackers lay low for an extended period and stole account information for major domestic information technology (IT) services, including Google.
The hackers used Google's location-based lookups on the smartphone to confirm when the victim was outside, not at home or the office, and then remotely reset the smartphone via Google's "Find My Device" (Find Hub) feature. At the same time, they distributed malware disguised as a "stress relief program" to acquaintances through PCs or tablets at the victim's home or office that were already infected with malware.
Even when some acquaintances suspected a malicious file and asked by phone or message to verify, the hacked victim's smartphone was in a "frozen" state with push notifications, calls, and messages blocked, delaying the initial response and allowing additional damage to spread quickly.
The hackers also deleted key data such as photos, documents, and contacts from victims' smartphones, tablets, and PCs.
The report also said there were indications that the hackers used webcams installed on PCs to verify that victims were outside. The malware included functions to control the webcam and microphone, suggesting they may have monitored victims' every move through the infected webcams.
The report said, "A strategy that combines multiple techniques, such as deleting data on Android smart devices and spreading attacks based on accounts, had no precedent in existing North Korea-origin hacking attacks," adding, "It shows that North Korea's cyberattack tactics are advancing into a stage of practical destruction that penetrates people's daily lives."
Genians advised minimizing hacking damage by "regularly changing the Google account password and applying additional authentication methods such as two-factor authentication (2FA)." It added, "Avoid automatically saving passwords when logging in with a web browser, and when going out, keep the habit of shutting down the computer to minimize the potential for physical or remote attacks."