SEOUL – Daniel DePetris, a US foreign affairs specialist, got an email from the 38 North think-tank director in October soliciting an essay.

It was not the case.

Three cybersecurity researchers and individuals involved believe the sender was a North Korean spy seeking information.

Instead of infecting his computer and obtaining vital data, the sender pretended to be 38 North director Jenny Town and asked him about North Korean security.

“I realised it wasn’t legit until I called the individual with follow-up inquiries and found out there was, in fact, no request that was made, and that this person was also a target,” DePetris told Reuters, referring to Town. “I quickly realised this was a widespread campaign.”

Cybersecurity experts, five targeted persons, and Reuters emails say the email is part of a new North Korean hacker group campaign.

Cybersecurity experts believe the hackers are targeting key foreign countries to understand Western strategy on North Korea.

“They don’t have to sit there and make interpretations because they’re getting it directly from the expert.”

– James Elliott

Thallium, also known as Kimsuky, has long utilised “spear-phishing” emails to deceive recipients into handing over passwords or opening malware-laden attachments or links. However, it now appears to simply request opinions or reports from scholars or professionals.

Reuters emails discussed China’s response to a new nuclear test and if a “quieter” attitude to North Korean “aggression” was appropriate.

The new strategy was first seen in January, according to James Elliott of the Microsoft Threat Intelligence Center (MSTIC). “The attackers changed everything.”

MSTIC found “several” North Korea experts who sent Thallium attacker account details.

US federal cybersecurity agencies reported in 2020 that Thallium has been functioning since 2012 and “is most likely assigned by the North Korean dictatorship with a global intelligence collecting mission”.

Microsoft claims Thallium has targeted government officials, think tanks, academia, and human rights organisations.

“The attackers are getting the knowledge straight from the horse’s mouth, if you will,” Elliott explained. “They don’t have to sit there and make interpretations because they’re getting it directly from the expert.”

New strategies

New strategies

North Korean hackers have stolen data from pharmaceutical and defence businesses, foreign governments, and others and targeted Sony Pictures over a film deemed as derogatory to its leader.

The London embassy of North Korea denied cybercrime but did not comment.

According to Saher Naumaan, chief threat intelligence analyst at BAE Systems Applied Intelligence, Thallium and other hackers have spent weeks or months building confidence with targets before distributing dangerous malware.

But according to Microsoft, the group now works with experts in some cases without ever sending malicious files or links, even when the victims respond.

“They were extremely sophisticated, with think tank insignia attached to the communication to make it look like a real inquiry”

– Daniel DePetris

Elliott said that this method can be faster than hacking into someone’s account and reading all of their emails. It also gets around traditional technical security programmes that would scan a message for harmful content and flag it, and it gives the spies direct access to what the experts are thinking.

“For us as defenders, it’s extremely, really hard to block these emails,” he added, adding that the recipient usually figures it out.

Town said other communications purportedly from her used a “.live” email address instead of her “.org” one but duplicated her whole signature line.

In one case, she said, she was part of a strange email exchange in which the suspected attacker, who was posing as her, included her in a reply.

DePetris, a Defense Priorities fellow and contributor for various newspapers, said the emails he received were phrased as if researchers were requesting paper submissions or draught remarks.

“They were extremely sophisticated, with think tank insignia attached to the communication to make it look like a real inquiry,” he claimed.

DePetris alleged a hacker impersonated him three weeks after receiving the bogus 38 North email, emailing others to review a draught.

That email, which DePetris shared with Reuters, offers US$300 for reading a manuscript about North Korea’s nuclear development and requests recommendations for additional potential reviewers. Elliot added the hackers would never pay for their study or responses.

Collecting information

Impersonation is a common way for spies all over the world to do their jobs, but as sanctions and the pandemic have made North Korea even more isolated, Western intelligence agencies think Pyongyang relies more and more on cyber campaigns, a security source in Seoul told Reuters on the condition of anonymity to talk about intelligence matters.

In a March 2022 report, a group of experts who look into North Korea’s attempts to get around UN sanctions said that Thallium’s work was one of the things that “constitute espionage meant to inform and help” the country get around the sanctions.

Town stated that in some cases, the attackers commissioned studies, and analysts offered comprehensive reports or manuscript evaluations before realising what had happened.

DePetris said that the hackers asked him about things he was already working on, like Japan’s response to the military actions of North Korea.

In another email, someone pretending to be a reporter from Japan’s Kyodo News asked a 38 North employee how they thought the war in Ukraine affected North Korea’s thinking. They also asked about US, Chinese, and Russian policies.

DePetris said, “One can only guess that the North Koreans are trying to get honest opinions from think tankers to learn more about US policy toward the North and where it might be going.”

Info source – Reuters