Security company ESTsecurity (CEO Kim Jang Jung) warned on the 12th that APT (Advanced Persistent Threat) attacks disguised as if they were papers on 'US-China competition and North Korea's asymmetrical diplomatic strategy review' are constantly appearing and require special attention.

The recent threat cases were carried out in the form of requesting reviews of manuscripts submitted to specific domestic university journals, and it was revealed that documents disguised as normal papers and review opinions were used in the attack.

In addition, the attacker was also found to be collecting official emails from current professors and their alma maters or personal free webmail addresses for phishing attacks. It is noteworthy that the phishing site was meticulously constructed to individually customize to each university-affiliated email login design difference.

Especially, the phishing sites, at a glance, were made to somewhat closely resemble legitimate sites, and so far, identified phishing addresses include Korear University (cloud.kcrea.rf[.]gd), Kyung Hee University (files.khu.rf[.]gd), also Gyeongsang National University (clouds.kyungnam.rf[.]gd), Ewha Womans University (ewha-cloud.epizy[.]com), Sogang University (clouds.sogang.rf[.]gd) and others have been found.

Therefore, it is very important to have a security habit of carefully checking whether the login page address of websites is real.

Recently, phishing attacks disguised as academic paper or journal reviews have become quite well-known, and attackers have been appropriately employing a phase-based trust building strategy to increase the success rate of the attacks. Specifically, they start with normal content to naturally approach in the initial phase and then select victims showing interest through email responses, attaching malicious files individually. They also demonstrate composure and meticulosity by executing follow-up attacks after a certain time interval.

The ESTsecurity Security Response Center (ESRC) analyzed the attack and revealed that if login information leaks through each university's phishing site, the normal document file is configured to download in order to avoid hacking suspicions. They have been closely coordinating with security authorities to swiftly block phishing servers and meticulously conducting further analyses.

ESRC analyzed that the phishing servers used in the attack and the attack techniques of the malicious DOC document are consistent with the existing 'Fake Striker' threat campaign and ultimately pointed to a North Korea-linked hacking organization as the mastermind behind the threat, and added that Korea is practically facing various threats from North Korean cyber threats on an almost daily basis.

In the meantime, it's necessary to pay extra attention as former professors and high-ranking officials could also be successively exposed to such hacking targets. Especially, it is important to remember that enabling the [Enable Content] button when viewing MS Office document files can be very dangerous.

Director Moon Jong Hyun of the ESTsecurity ESRC center emphasized the need for vigilance, stating that "The level of North Korean cyber threats, daring enough to build phishing servers mimicking major domestic universities and searching for professors in the aviation, diplomacy, security, and defense sectors to attempt hacking, is escalating" and added, "If a victim tricked by a malicious document file delivered under the guise of an honorarium payment provides sensitive personal information, primary information can be leaked directly to hackers leading to secondary damage." He strongly advised thorough security precautions.

ESTsecurity is closely collaborating with related agencies like the Korea Internet & Security Agency (KISA) to prevent the spread of similar damages.