Security specialist company ESTsecurity (Representative Jung Jin-il) reported on the 9th that a hacking attack linked to North Korea, disguised as collecting opinions from advisers for North Korean defectors, has been discovered and requires special attention.

The characteristic of this attack is that it is disguised as a survey to collect opinions from advisers for North Korean defectors.
The attacker exploited the OLE (Object Linking and Embedding) feature within the HWP Korean document, and when the document is executed, a fake message window ‘This document was created in a higher version.’
The contents of the window, which include prompting a natural click, are commonly seen in HWP documents and if the [Confirm] button is clicked without suspicion, one is directly exposed to the hacking attack. According to the analysis by ESTsecurity's Security Response Center (hereinafter referred to as ESRC), a malicious OLE file is embedded inside the HWP file, and it has been confirmed that the OLE contains a function that attempts to communicate with the specific domestic server ‘hanainternational[.]net’ through batch (Bat) file and PowerShell commands.

In particular, when attempting to communicate with the Command and Control (C2) server, a condition that behaves like a latent function in task scheduler was added to hide the exposure as much as possible, and it was identified that it used a tactic disguised as an ESTsoft program. Meanwhile, the Free North Korea Movement Alliance has claimed that on April 25 and 26, over two days, it scattered about 1 million leaflets to North Korea using 20 large ad balloons in the Gimpo area of Gyeonggi Province, and the malicious file was used in a timely manner for the attack by impersonating the collection of opinions on the aforementioned issue.

Thus, attention should be paid to cyber threat strategies that aim to maximize the effect of attacks by borrowing content that is known through actual media outlets, etc.
The ESRC discovered that just like the phishing attack impersonating the UN Human Rights Office in February, this attack also used a domestic server as an intermediate hacking point, and commonalities such as identical task scheduler names, ‘PEACE’, and ‘Lailey’ IDs have been found. As with this attack utilizing the OLE method rather than a vulnerability in HWP itself, recent reports suggest that all users of Hancom Office, from previous products to the latest versions, need to be more cautious when presented with a separate message window prompting them to click.

Particularly, the HWP attack methods and tactical commands used in this attack have been analyzed to match previous North Korean-linked cyberattack cases, indicating that a North Korean cyber threat organization is suspected to be behind these efforts. Mr. Moon Jong-hyun, the director of the ESRC center, stated, "Although spear phishing attacks based on malicious HWP documents have significantly decreased from before, they still represent an ignored threat that is consistently witnessed in covert targeted attacks. As North Korea-linked cyber threats continue to increase day by day, closer public-private coordination and cooperation are important," he urged.

Meanwhile, ESTsecurity's ESRC is closely sharing information related to these cyber threats with related authorities such as the Korea Internet & Security Agency (KISA) to maintain cooperation to prevent the spread of previously known threats.