Security specialist company ESTsecurity (CEO Jung Sang-won) announced on the 18th that hacking attacks linked to North Korea, disguised as the contents of the Ministry of Unification's Key Daily Events in North-South Relations February issue, have been continuously discovered and require special attention.

The attack targeted experts and workers in the field of North Korea by cleverly disguising itself as an official dispatch from the Ministry of Unification on major events in North-South relations, and was revealed to be aimed at hijacking email accounts. The actual design related to the Ministry of Unification was partially imitated, making it look like legitimate content, and it was characterized by deceptively using a file attachment that appeared to be 'North-South_Relations_Key_Events (February 2022).hwp' at the bottom of the body.

According to the analysis by ESTsecurity's Security Response Center (hereinafter referred to as ESRC), this type of method has been spotted repeatedly since last year, since 2020, and consistently reports being aimed at deceiving recipients with contents related to North Korean material, such as North Korean trends from the Ministry of Unification or the perspectives on the Korean Peninsula situation from the Unification Research Institute.

The hacking attack employs a sophisticated trick of manipulating the sender's address to look like official addresses of the Ministry of Unification, Unification Research Institute, National Security Strategy Research Institute, etc., so that recipients may unwarily open the attached files, leading to unexpected hacking damages.

According to the analysis by ESRC, the discovered attack may appear to be a typical Spear Phishing attack that encourages recipients to open an attached malicious HWP document file, but it actually aims to steal portal account information by inserting a malignant URL link instead of an attachment.

If the recipient clicks on the attachment link, instead of receiving the document immediately, a screen requesting the entry of the portal account password appears, and if a valid password is entered, it shows a normal HWP document, making it difficult for users to realize they have been exposed to hacking.

Furthermore, if the password is leaked, there is not only the possibility of secret and persistent personal information leakage, but also the risk that the attacker may unauthorizedly use the victim’s account to approach acquaintances, becoming a secondary perpetrator.

Therefore, since they employ the trick of showing a normal document while leaking account information when the password is entered, it is important to check carefully whether the displayed document is officially registered on the website and not be misled by paying meticulous attention.

Director Moon Jong-hyun of the ESRC Center advised, “The cyber threats linked to North Korea that impersonate specific domestic institutions or private sector services are intensifying, making this a time when efforts to strengthen cyber security without gaps is necessary,” and, “Especially for responding to North Korea’s comprehensive cyber offensive, it is necessary to establish a more close and organic cooperative system at the public-private joint level,” emphasizing the need for it.

Meanwhile, ESTsecurity is closely sharing related cyber threat information with the authorities such as the Korea Internet & Security Agency (KISA) to maintain cooperation so that known threats do not spread.