Security specialist ESTsecurity (CEO Jung Jin-il) warned that a hacking attack linked to the North, disguised as a COVID-19 vaccine notification from the Korean Society for Clinical Health Promotion, has been detected and requires special attention, as announced on the 1st.

The attack is characterized by its disguise as an official and recent notification of COVID-19 vaccines from the Korean Society for Clinical Health Promotion, and it has been confirmed that most of the targets are workers in the field related to the North.

The actual attack email was indicated as ‘’ but the analysis revealed that the sender was elaborately manipulated to look like the 'real address of the Korean Society for Clinical Health Promotion'.

According to the analysis by ESTsecurity's Security Response Center (ESRC), the email header used in the phishing attack contains an 'openChecker.jsp' code that is the same as the normal code inserted into the header of the 'SRT Seodaegu Station New Stop Operation & Ticketing Start Notification' email sent on the 25th, and the body design was found to be similar.

Furthermore, the part of the email body that includes the description of COVID-19 vaccine efficacy monitoring is identical to what is on the Korean website of the Centers for Disease Control and Prevention (CDC), an agency of the U.S. Department of Health and Human Services. In this manner, the attacker has misappropriated official SRT guidance and CDC phrases for the actual attack.

As reported on March 18th, like phishing attacks impersonating the Ministry of Unification, recent threats identified as having North Korean backing meticulously manipulate the sender's address to match the real email addresses, leading to the possibility of personal information hacking damage if one simply trusts and accesses based on the address alone.

ESRC discovered that the new attack includes a malicious phishing link at the bottom of the content that aims to deceive people, much like a COVID-19 vaccine appointment. Unusually, the phishing server used the Korean Society for Clinical Health Promotion's website itself, which is not common as most phishing attacks hack another third-party server to redirect to phishing sites.

Although it is not common for attackers to use the actual sender's website as a phishing foothold, this can be an efficient aspect in terms of incident investigation and prompt follow-up response. On the flip side, it also offers attackers the advantage of disguising the information as more trustworthy for the recipients.

Especially, the email used in this attack contains the word '날자,' which is North Korean-style notation for 'date,' and the techniques and tactics of command & control (C2) server webshells, account theft, and disguise used are perfectly matching the patterns of North Korean-linked cyberattacks.

Director of the ESRC, Moon Jong-hyun, stated, "It is the first time we have observed the inclusion of not only the main site used for the attack but also the phishing foothold site," and emphasized, "As such, cyber threats linked to the North are escalating, so it is crucial to redouble our efforts to strengthen cyber security and to build a more cooperative and organic collaborative system between public and private sectors."

Meanwhile, ESTsecurity is closely sharing related cyber threat information with relevant authorities such as the Korea Internet & Security Agency (KISA) to prevent the spread of previously known threats.