Concerns over HWP's security vulnerabilities have mounted after signs emerged that a hacking group backed by North Korea hid and spread malware in Hangul Word Processor (HWP) documents. North Korean hackers have exploited HWP for more than 10 years, and some warn that vulnerabilities in Hangul Word Processor could harm not only Korea's cyber defense but also the South Korea-U.S. alliance.
On the 26th, according to the security industry, Genians Security Center, a cybersecurity company, said it identified signs of an attack dubbed "Artemis," in which the North Korea-linked hacking group APT37 hid and distributed malicious files in HWP. Analysis found that APT37 used a "spear phishing" attack that approaches targets intelligently by factoring in the recipient's interests. Posing as a university professor, the group sent emails asking recipients to join a National Assembly debate on North Korean human rights as a panelist, and in other cases, impersonated writers at major domestic broadcasters to request interviews on North Korean human rights, built trust through conversation, and then sent HWP files containing malware.
The hacking occurred when victims downloaded the HWP file attached to the email and clicked a hyperlink embedded in the document, which infected their PCs with a malicious file. APT37 made it appear as though normal procedures, such as a file download, were being carried out when the victim clicked the link, cleverly avoiding suspicion of hacking. In the process, the hackers used combined techniques such as "steganography," which hides malicious data inside normal files, and "DLL side-loading," which loads a malicious DLL during an application's execution, to evade detection by security programs.
This case has heightened concerns about HWP's security vulnerabilities. According to the security industry, North Korea has exploited HWP flaws since at least 2013. North Korean hackers from several groups, including APT37/ScarCruft and Kimsuky, have concentrated on using HWP. This is tied to Korea's unique environment of maintaining an HWP-centered document ecosystem. While Microsoft (MS) Word and Adobe PDF are widely used as international standards, Korea uses HWP like a standard. The fact that HWP is used in almost every sector—including government ministries, the National Assembly, the military, industry, and academia—forms the backdrop for the exploitation of vulnerabilities.
Kim Myeong-ju, a professor of information security at Seoul Women's University, said, "It is hard to conclude that HWP is inherently more vulnerable (in security) than MS Office, but it is effectively used like a standard across Korea's public and private sectors, making it an attractive target for North Korean hackers," adding, "Because HWP is also used overseas, security incidents could affect the global market."
From a technical standpoint, HWP is also characterized by the ease with which malware can be inserted. Hackers attempt attacks by secretly embedding OLE (Object Linking and Embedding) objects inside Hangul documents. OLE is a function that allows images, tables, external files, and the like to be included in a document or linked with other programs, and it is widely used in normal document creation. However, hackers abuse this function to design documents so that malware automatically runs when a user opens or previews the document. In such cases, infection can occur without separate execution or approval, making detection difficult and increasing the likelihood of bypassing existing security policies.
There are also concerns that HWP's security vulnerabilities could negatively affect the South Korea-U.S. alliance beyond Korea's cybersecurity. 38NORTH, a U.S. media outlet specializing in North Korea, reported that North Korean hackers have long exploited HWP weaknesses, undermining interoperability and trust in the alliance. Perry Choi, CEO of the U.S. cybersecurity company Aeye Intel, warned in an op-ed for the outlet that sweeping measures are needed to shore up HWP's vulnerabilities. Choi argued that North Korean hackers are exploiting HWP's weaknesses as a means to infiltrate not only Korean institutions but also U.S.-Korea joint projects and alliance-linked supply chains.
At this point, the best response is considered to be continuous application of security patches by Hancom and user updates. Professor Kim said, "Hancom should swiftly disclose the causes of confirmed vulnerabilities and take proactive measures, such as distributing new versions that include security patches," adding, "Users should minimize the use of older versions and perform immediate updates."