▲ The screen of a current police officer's ID shown when a hacking attempt occurs <Partially mosaic processed>
(Provided by ESTsecurity)

ESTsecurity, a security company (CEO Jeong Jin-il), warned that a hacking attack disguised as a current police officer investigating North Korean hacking incidents has recently emerged and urged special caution.

This case impersonated an advanced security investigator working at the OO Police Agency, and it was revealed that the hacking was attempted using a civil servant's ID PDF document containing faces and real names.

A hacking incident involving the theft of police IDs occurred in 2017 when an attack was performed that disguised a membership inquiry assistance request targeting an official of a domestic Bitcoin exchange. At that time, the attack used malicious code with the file name "Bitcoin transaction history.xls" and a copy of the ID PDF, and as a result of an extensive investigation by the authorities, it was concluded to be an act of North Korea.

The police impersonation attack targeting the Bitcoin exchange described earlier used a method of sending normal ID documents separately attached to email with malicious documents, but this attack cunningly hid the normal ID PDF document within a malicious executable (EXE) and replaced it with a normal file at the time of malicious code operation.

It is noteworthy that the nature of domestic cyber threats is becoming increasingly bold and evolving in an overt manner over time. However, traditional attack techniques of the executable file type can be sufficiently prevented with careful attention and a keen interest in usual security trends.

Especially, attacks like this one need to be noted by those who have often been exposed to hacking attack victims.

After analyzing this attack, the ESTsecurity Security Response Center (ESRC) revealed that the domestic server was abused at the hacking attack base, and it quickly addressed the breached server in close cooperation with the authorities, thereby preventing additional damage and secured various records used in the attack command process for close analysis.

The ESRC found that the web server commands used in the attack match the command pattern from attacks that were respectively reported in February and May, impersonating [The UN Human Rights Office's special report on the 'Human Rights Situation in the Democratic People's Republic of Korea'], [Consultation of the 20th term advisors for North Korean defectors related to anti-North Leaflets by the Ministry of Unification].

In addition, the design to induce macro execution in the DOCX malicious document that impersonated the "UN Human Rights Office" and the screen identified in attacks impersonating the "Ministry of Unification Settlement Support Division" classified as backed by North Korea were investigated to be identical.

In the case of malicious Word file attacks captured in similar attacks, when the document is first executed, it displays a fake Microsoft title that says [The document is protected], and it is noticed that the [Use Content] button click-inducing design is recycled with the same image, but care is needed to cautiously analyze cases where English notation or some words have been changed.

The ESRC explained that as a result of closely comparing command and control (C2) infrastructure and Powershell code similarity, key breach indicators (IoC), etc., used in this attack, this was ultimately classified as an act of the hacking organization linked to the North Korean Reconnaissance General Bureau, named the so-called 'Smoke Screen' Advanced Persistent Threat (APT) campaign.

An official from the ESTsecurity ESRC commented, "The cyber security threat from North Korea is dangerous enough to attempt to search for hacking targets by stealing the identity of an active-duty South Korean police officer and approach boldly," and emphasized that "It’s time to always be suspicious, increase our vigilance and tension, like the concept of the Zero Trust cyber security model that assumes nothing is trusted."

ESTsecurity is closely cooperating with related government agencies including the Korea Internet & Security Agency (KISA) for response measures to prevent the spread of similar damages.