Shadow Games: DPRK and China Linked to South Korean Embassy Attacks

State-sponsored hackers in Southeast Asia are spear-phishing European embassies in South Korea.

In a campaign ongoing since March, a threat actor that closely resembles North Korea’s Kimsuky group has been investing significant effort into personalizing a small number of high-impact espionage attacks against diplomatic missions in South Korea’s capital city.

“The level of detail shows deep subject-matter knowledge,” says Duy-Phuc Pham, threat intelligence and malware researcher at Trellix. “It underlines how North Korea views cyberespionage as one of its most effective intelligence-gathering tools: low-cost, scalable, and yielding information that would otherwise be hard to obtain.”

Interestingly, the attackers have leaked clear signs that they’re working out of, or perhaps with, China.

Embassy Cyberattacks

On March 6, a nondescript email arrived at a Central European embassy in Seoul. It came from “Kim Taesung,” titled “Gas Facility Safety Inspection Service,” with a password-protected zip file attached. The email was so relatively bland that researchers from Trellix suspect it might have been just a test to see if the attack would actually work.

In 18 spear-phishing emails thereafter, Kimsuky invested effort into personalizing each to the time, place, and recipient. On May 13, for example, the attackers mimicked a high-ranking European delegation in communications with a Western European embassy. Their note referenced an “advisory meeting” the following day, with a password that accorded with that same date.

Related:North Korea Attacks South Koreans With Ransomware

This, generally, was the format: impersonated government representative or agency, referencing an official upcoming event, with a zip file protected by a password according to the event’s date.

Within the attached files, the hackers included 54 different PDF lure documents in languages as wide ranging as Arabic, English, French, Korean, Persian, and Russian. Just under half presented as official government letters, diplomatic notes, or announcements, and they referenced dozens of different themes.

Invitations to diplomatic events were common, and sometimes aligned with real-world geopolitical developments, such as an invitation to a South Korean-African forum in Kenya, at a time when the two countries were drawing noticeably closer. Some documents accurately mimicked official embassy correspondence, such as one PDF supposedly drafted by the Iranian embassy for South Korea’s Ministry of Foreign Affairs. A few decoys got even more specific, such as the fake international school admission form that Trellix suspected might have been sent to a government employee somehow related to the institution.

Related:China-Backed APT41 Cyberattack Surfaces in Africa

Falling for one of these phishing attacks would have meant downloading a Powershell script, whose job was to steal basic system information — operating system (OS) information, IP address, running processes, etc. — and, crucially, connect with an attacker-controlled GitHub repository.

The attackers used GitHub repos for command-and-control (C2) purposes, presumably to help blend their espionage with normal network traffic. A malicious script would upload stolen data to their repo, and a text file contained in the repo would tell the script where to download a follow-on payload: an obfuscated variant of “XenoRAT.”

For further secrecy, that text file was modified “ultra-rapidly,” often multiple times per hour, Pham reports. “That kind of short-lived payload suggests strong understanding of sandboxing defense techniques and real-time operator oversight. It makes the malware life cycle much harder for defenders to detect or block.”

North Korea, China, or Both?

In so many ways — targeting, motive, known campaign infrastructure, tactics, techniques, and procedures (TTPs) — the campaign reflected behavior typical of Kim Jong-Un’s notorious Kimsuky outfit.

Related:4 Chinese APTs Attack Taiwan’s Semiconductor Industry

Upon closer analysis, however, Trellix’s researchers found that nearly two-thirds of the hackers’ activity appeared consistent with a Chinese work schedule. They worked consistent 10-hour (8 a.m. to 6 p.m.) workdays, Monday to Friday, an hour ahead of Korean Standard Time. They went totally silent during major Chinese holidays, but less consistently took time off during Korean ones.

There are a few possible explanations for this, the researchers suggest. It could be that the Chinese and North Korean states are collaborating on this campaign, or that it’s actually just a Chinese operation purposely masked as a North Korean one. Or the attackers might simply be operating in or through China, on behalf of North Korea, a known phenomenon previously documented by the US Department of Justice.

Routing malicious cyberactivity through China, Pham says, provides North Korea “reliable hosting, weak enforcement, and a degree of geopolitical cover. In practice, that means local authorities often look the other way as long as the activity doesn’t directly harm domestic interests. For North Korea, this makes a convenient ‘safe rear base’ for cyber operations.”