Integrated security company ESTsecurity (CEO Jeong Jin-il) warned with special attention on the 8th, as it has recently detected hacking attacks linked to the North that are disguised as the contents of the cloud sharing invitation service of a domestic portal company.

The recent attack cleverly impersonated a popular service with many users in Korea and primarily targeted experts and journalists working in the field of North Korea to conduct phishing attacks.

The attack conducted last Saturday deceived as if it had shared a file on 'The History of North Korea's Nuclear Development and Prospects for the Development of North Korea-US Relations', and was characterized by delivering it in the name of a person who had served as the first director of overseas and North Korean affairs at the National Intelligence Service during a past government.

In the body of the hacking attack email, to induce the recipient to click the invite acceptance button, it even included an invitation message that read, 'We send you one case on the strategic direction of North Korea's 8th party congress and the prospect of changes in the policy towards the South.' This content manipulation helped the recipient to trust it more.

As a result of the analysis by ESTsecurity's Security Response Center (known as ESRC), it was revealed that clicking on the [Accept] button in the email body would connect to phishing servers such as ‘share.myboxes.navers[.]tech’, ‘view.boxfile[.]click’, attempting to steal the user's password.

Although the attackers did not directly use the cloud service sharing invitation feature of the portal, the body of the hacking email almost identically mimicked the design and phrases of the actual service, making it likely that recipients with prior experience receiving such shares would be exposed to hacking threats without suspicion.

ESRC, which has been analyzing such attack methods for several months, explained that the attack was ultimately identified as the act of a North Korean Reconnaissance General Bureau-linked hacking organization classified as 'KGH', as it is a continuation of the 'Semitz NFT Reward Impersonation Hacking' incident known for the purpose of foreign currency earning last July and the 'Hacking attack disguised as issuing a health examination result certificate' that has been continuously discovered since earlier this year.

Meanwhile, the cyber security threat organization identified behind this attack had also participated in attacks last July that impersonated notification emails of a smart credit service provided by a specific domestic credit card company and a financial information protection service, alerting customers via SMS and email if identity verification occurs in the customer's name.

At that time, the attack was a phishing type that impersonated the service and lured to click the [Verify Identity Verification History] button, connecting to the ‘hanacard.navceo[.]website’ phishing server and attempted to steal the recipient's email password.

Attackers are persistently attacking North Korea-related personnel in Korea until hacking is successful, utilizing various themes, and are actively employing attacks not only through URL phishing that simply induces clicking, but also using malicious documents such as DOC and HWP files.

An ESTsecurity ESRC official noted, 'As the ROK-US joint military exercise begins on the 22nd, the cyber offensive, pointed to North Korea, is intensifying,' and urged, 'Especially since we are exposed to email hacking attacks disguised as everyday content, both individuals and companies should heighten their attention and vigilance on cyber security, remove blind spots and insensitivity, and make full preparations for security.'

ESTsecurity is closely cooperating with related departments such as the Korea Internet & Security Agency (KISA) to respond to the prevention of similar damage spread.