Signs have been found for the first time that a North Korea-backed hacking group remotely controlled Android smartphones and PCs to wipe major data such as photos, documents, and contacts in a cyberattack.
On Jan. 10, Genians Security Center said in a threat analysis report that a cyberattacker likely backed by North Korea went beyond stealing personal information and caused direct damage in the real world to smartphones, tablets, and PCs.
According to the report, on Sept. 5 the hacker reset the smartphone of a domestic psychological counselor and, through a stolen KakaoTalk account, sent a malicious file disguised as a "stress relief program" to many acquaintances.
On the 15th of the same month, the Android smartphone of a North Korean human rights activist was also reset, and a malicious file was simultaneously distributed to 36 acquaintances through the stolen KakaoTalk account.
The distribution of malware via KakaoTalk messages was analyzed as a typical social-engineering-based hacking attack from North Korea that disguises itself as a trusted acquaintance relationship.
However, in this incident, an unprecedented attack method was additionally found. After infiltrating victims' smartphones and PCs, the hacker lay dormant for an extended period and stole account information for Google and major domestic information technology (IT) services.
By checking Google's location-based lookups on the smartphone, the hacker confirmed when the victim was outside rather than at home or the office, then remotely reset the smartphone via Google's "Find My Device" (Find Hub) feature.
At the same time, through PCs or tablets already infected with malware at the victim's home or office, the hacker spread malware disguised as a "stress relief program" to acquaintances.
Even when some acquaintances suspected the files were malicious and tried to verify by phone or message, the hacked victim's smartphone was bricked, with push notifications, calls, and messages blocked. The delayed initial response led to rapid spread of additional damage. The hacker also deleted major data such as photos, documents, and contacts from victims' smartphones, tablets, and PCs.
The report also said there were signs that the hacker used webcams installed on PCs to confirm when victims were outside. The malware included webcam and microphone control features, raising the possibility that the attacker monitored the victims' every move through the infected webcams.
The report said, "North Korea's cyberattack tactics are becoming more advanced, moving into a phase of practical destruction that penetrates people's daily lives."
Genians advised applying two-factor authentication for logins and refraining from automatic password saving in browsers to minimize hacking damage. In addition to user-level security rules such as cutting power when PCs are not in use, the report noted the need for multi-factor authentication systems at digital manufacturers.