North Korea has reportedly attempted to hack by sending emails titled 'Public release of the martial law documents prepared by the Defense Security Command' to personnel in the domestic unification, security, and diplomatic fields following the emergency martial law situation on Dec. 3.
The Korean National Police Agency revealed on the 15th that North Korean hacking organizations sent 126,266 emails from November last year to January this year to 17,744 people in the country to steal personal information.
The types of emails sent by North Korea are over 30. These included emails disguised as documents analyzing North Korea's New Year's message, forecasts about the situation, concert tickets for famous singers, tax refunds, daily fortunes, and health information. Some were disguised as martial law documents written by the Defense Security Command and sent to 54 people.
The email sender addresses were crafted to resemble email addresses of public institutions or acquaintances of the recipients. North Korea designed it so that clicking on links in the emails would direct users to a phishing site that asks for portal site account IDs and passwords. The phishing site addresses were structured similarly to those of well-known portal sites.
According to police investigation results, servers used in past cyberattacks by North Korea were employed again for this incident. The IP address of the crime's origin was allocated to the border area between China's Liaoning Province and North Korea.
The senders rented 15 domestic servers to send large amounts of emails. They also used a program that allowed real-time monitoring of information, including when the emails were sent, whether recipients viewed them, accessed the phishing site, or entered account information.
The police investigation revealed that records from the servers contained vocabulary used in North Korean style by the senders. Terms from information and communication, such as 'port' (포트) were referenced as ‘포구’, 'page' was referred to as ‘페지’, and 'action' was termed ‘기동’. However, no evidence was found to conclusively attribute the attacks to existing North Korean hacking organizations, such as 'Lazarus' or 'Kimsuky'.
Among the email recipients were government agency personnel involved in domestic unification, security, defense, and diplomacy, as well as researchers and journalists. Of the email recipients, 120 clicked on the links sent by North Korea and accessed the phishing site, resulting in the theft of information including portal site account details, email addresses, and contact information. The police informed them of the incident and guided them on how to protect their accounts.
A police official noted, 'While previous North Korean cyberattacks targeted individuals interested in North Korea by sending emails related to the country, this attack also involved sending numerous emails unrelated to North Korea.' Additionally, they stated, 'It is the first time we have confirmed an attack utilizing content that appears to be realistically available, such as concert tickets.' They added, 'It is crucial not to open emails from unknown senders and not to click on attachments and links.'