SEOUL: When Daniel DePetris, a US-based foreign affairs analyst, received an email in October from the director of the 38 North think-tank commissioning an article, it seemed to be business as usual.
It wasn't.
The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.
Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town.
"I realized it wasn't legit once I contacted the person with follow up questions and found out there was, in fact, no request that was made, and that this person was also a target," DePetris told Reuters, referring to Town. "So I figured out pretty quickly this was a widespread campaign."
The email is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five targeted individuals and emails reviewed by Reuters.
The hacking group, which researchers dubbed Thallium or Kimsuky, among other names, has long used “spear-phishing” emails that trick targets into giving up passwords or clicking attachments or links that load malware. Now, however, it also appears to simply ask researchers or other experts to offer opinions or write reports.
According to emails reviewed by Reuters, among the other issues raised were China’s reaction in the event of a new nuclear test; and whether a "quieter" approach to North Korean "aggression" might be warranted.
"The attackers are having a ton of success with this very, very simple method," said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first emerged in January. "The attackers have completely changed the process."
MSTIC said it had identified "multiple" North Korea experts who have provided information to a Thallium attacker account.
The experts and analysts targeted in the campaign are influential in shaping international public opinion and foreign governments' policy toward North Korea, the cybersecurity researchers said.
A 2020 report by U.S. government cybersecurity agencies said Thallium has been operating since 2012 and "is most likely tasked by the North Korean regime with a global intelligence gathering mission."
Thallium has historically targeted government employees, think tanks, academics, and human rights organisations, according to Microsoft.
"The attackers are getting the information directly from the horse's mouth, if you will, and they don't have to sit there and make interpretations because they're getting it directly from the expert," Elliot said.
NEW TACTICS
North Korean hackers are well-known for attacks netting millions of dollars, targeting Sony Pictures over a film seen as insulting to its leader, and stealing data from pharmaceutical and defence companies, foreign governments, and others.
North Korea's embassy in London did not respond to a request for comment, but it has denied being involved in cyber crime.
In other attacks, Thallium and other hackers have spent weeks or months developing trust with a target before sending malicious software, said Saher Naumaan, principal threat intelligence analyst at BAE Systems Applied Intelligence.
But according to Microsoft, the group now also engages with experts in some cases without ever sending malicious files or links even after the victims respond.
This tactic can be quicker than hacking someone's account and wading through their emails, bypasses traditional technical security programmes that would scan and flag a message with malicious elements, and allows the spies direct access to the experts' thinking, Elliot said.
"For us as defenders, it's really, really hard to stop these emails," he said, adding that in most cases it comes down to the recipient being able to figure it out.
Town said some messages purporting to be from her had used an email address that ended in ".live" rather than her official account, which ends in ".org", but had copied her full signature line.
In one case, she said, she was involved in a surreal email exchange in which the suspected attacker, posing as her, included her in a reply.
DePetris, a fellow with Defense Priorities and a columnist for several newspapers, said the emails he has received were written as if a researcher were asking for a paper submission or comments on a draft.
"They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry is legitimate," he said.
About three weeks after receiving the faked email from 38 North, a separate hacker impersonated him, emailing other people to look at a draft, DePetris said.
That email, which DePetris shared with Reuters, offers $300 for reviewing a manuscript about North Korea's nuclear programme and asks for recommendations for other possible reviewers. Elliot said the hackers never paid anyone for their research or responses, and would never intend to.
GATHERING INFORMATION
Impersonation is a common method for spies around the world, but as North Korea's isolation has deepened under sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns, one security source in Seoul told Reuters, speaking condition of anonymity to discuss intelligence matters.
In a March 2022 report, a panel of experts that investigates North Korea's U.N. sanctions evasions listed Thallium's efforts as among activities that "constitute espionage intended to inform and assist" the country's sanctions avoidance.
Town said in some cases, the attackers have commissioned papers, and analysts had provided full reports or manuscript reviews before realising what had happened.
DePetris said the hackers asked him about issues he was already working on, including Japan's response to North Korea's military activities.
Another email, purporting to be a reporter from Japan's Kyodo News, asked a 38 North staffer how they thought the war in Ukraine factored in North Korea's thinking, and posed questions about U.S., Chinese, and Russian policies.
"One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand U.S. policy on the North and where it may be going," DePetris said.
Reuters
Mon Dec 12 2022
Impersonation is a common method for spies around the world, but as North Korea's isolation has deepened under sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns. - REUTERS
ISIS Malaysia's perspective of Budget 2025
An excellent rakyat-centric budget under the overarching principle of a caring and humane economy.
Budget 2025: Record increase in STR, SARA aid initiatives
The government will provide a significant boost to the Sumbangan Tunai Rahmah (STR) and Sumbangan Asas Rahmah (SARA) initiatives next year.
Budget 2025: EPF contributions to be made mandatory for foreign workers – PM Anwar
The government plans to make it compulsory for all non-citizen workers to contribute to the Employees Provident Fund (EPF).
What policies to expect from Indonesia's new President Prabowo
Prabowo will be open to foreign investment, his aide has said, such as by offering investors management of airports and sea ports.
Budget 2025: Govt allocates RM470 mil to empower women's participation in PMKS
The Women's Leadership Apprenticeship Program will be intensified as an effort to produce more female corporate personalities.
Israel sends more troops into north Gaza, deepens raid
Residents of Jabalia in northern Gaza said Israeli tanks had reached the heart of the camp, using heavy air and ground fire.
Indonesia ramps up security ahead of Prabowo's inauguration
Prabowo Subianto will be sworn in as Indonesia's president on Sunday with Vice President-elect, Gibran Rakabuming Raka, also taking office.
Immediate allocation of RM150 mil for local authorities, DID to tackle flash floods
Datuk Seri Anwar Ibrahim said this allocation is intended to address the recent flash floods that hit the capital and several major towns.
Budget 2025: Sabah, Sarawak to continue receiving among highest allocations - PM
Sabah and Sarawak continues to be prioritised under Budget 2025, with allocations of RM6.7 billion and RM5.9 billion respectively.
NFOF will be operational in November 2024 with funding of RM1 bil
PM Anwar Ibrahim said NFOF will support venture capital fund managers to invest in startup companies with RM300 million set aside for 2025.
Minimum wage to increase to RM1,700 effective Feb 1, 2025
The Progressive Wage Policy would be fully enforced next year with an allocation of RM200 million, benefiting 50,000 workers.
Bursa Malaysia ends higher on Budget 2025 optimism
The benchmark index, which opened 1.85 points higher at 1,643.29, moved between 1,641.71 and 1,649.31 throughout the trading session.
Five important aspects relating to people’s lives in Budget 2025 - PM
The focus is on driving the MADANI Economy, speeding reforms, cutting red tape, raising wages, and tackling the cost of living.
Economic outlook: Govt plans to leverage, expand existing city transit system
The expansion aims to provide a more efficient and reliable public transportation network, reduce congestion, and improve accessibility.
Economic outlook: Budget 2025 to lay foundation for a digital-driven economy
The report said Budget 2025 will entail efforts to position Kuala Lumpur as a top 20 global startup hub by 2030 through the KL20 initiative.
Economic outlook: Corruption and lack of accountability hinder economic progress
Special Cabinet Committee on National governance is established to curb corruption, law reforms to modernise outdate regulations, MoF said.
National Wages Consultative Council will be strengthened
The govt will also incentivise hiring women returning from career breaks, offer job matching and improve care services facilities.
Economic outlook: Ensuring 11 years of compulsory education for all children
Budget 2025 will continue prioritising upskilling and retraining initiatives to equip workers with the latest skill sets necessary.
Consolidated public sector projected to record lower surplus of RM41.7 bil 2024
The MoF said the consolidated general government revenue is estimated to increase slightly to RM384.7 billion in 2024.
PM announces substantial Budget 2025 hastening Malaysia to become Asian economic powerhouse
Datuk Seri Anwar Ibrahim said it would create jobs and also tackle financial leakages to enhance public spending efficiency.