North Korean cyber spy tactic: deceiving foreign experts into writing research
Instead of infecting computers and stealing sensitive data, as hackers typically do, a new North Korean cyber campaign appears to be trying to elicit the thoughts and responses on North Korean security issues from experts by pretending to be their peers.
As North Korea’s isolation has intensified under sanctions and due to the pandemic, Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns.
Researchers believe the hackers are targeting influential people in foreign governments, in an attempt to better understand Western policy toward North Korea.
Their hacker group, which has been dubbed “Thallium” or “Kimsuky” among other names, has long used “spear-phishing” emails to trick targets into giving up passwords or clicking malicious attachments or links. But now, the group is engaging with experts without need for sending malicious files or links. As it appears, simply by asking researchers or other experts to provide their opinions.
Discussion topics seem to range from how China would react in the event of a new nuclear test to whether a “quieter” approach towards North Korean “aggression” may be warranted.
The Microsoft Threat Intelligence Center (MSTIC) reports that the attackers are having great success with this very simple tactic, which first surfaced in January. According to MSTIC, multiple experts have already provided information to a Thallium attacker account.
According to a U.S. government report from 2020, Thallium has been operating since 2012 and is most likely tasked with gathering global intelligence for the North Korean regime. According to Microsoft, Thallium is targeting government employees, think tanks, academics, and human rights organisations.
Thallium and other hackers first develop trust with their targets before sending malicious software, said Saher Naumaan, principal threat intelligence analyst at BAE Systems Applied Intelligence.
In bypassing traditional technical security programmes that would scan and flag a message with malicious elements, this tactic is faster than hacking someone’s account and wading through their emails. It also allows spies direct access to the experts’ “minds”.
An expert panel investigating North Korea’s UN sanctions evasions published a report in March 2022 classifying Thallium’s efforts as espionage aiming at assisting the country’s sanctions evasion.
Some attackers have commissioned papers, where analysts had written full reports or manuscript reviews, before realising what had actually happened.
A number of experts have been asked about their current tasks, this has included Japan’s response to North Korea’s military activities and whether experts believe the war in Ukraine has played a role in perception towards North Korea. They have also been questioned on U.S., Chinese, and Russian policies.
Experts surmise that the North Koreans are trying to garner candid views from think tankers, in aiming to better understand US policy on their country and where this may be heading.