North Korean hackers: “Kimsuky” attacks

North Korean hackers are increasingly targeting Germany. Apparently they are using the Google web browser. The German Office for the Protection of the Constitution and South Korea’s domestic secret service are now warning of new cyber attacks.

Above all, it is the threats with nuclear weapons and the constant missile tests with which North Korea regularly makes the headlines. The dictatorship of Kim Jong-Un is still one of the most closed countries in the world. North Korea isolated itself even more during the Covid pandemic. Most people still don’t get free information from the outside world. Access to the free Internet is also not permitted for the majority of the population.

Nevertheless, North Korea has developed into a serious threat in recent years, also in cyberspace. According to Western security authorities, the regime’s hackers go on raids worldwide, use cyber attacks to obtain information from politics, industry and science, and steal cryptocurrency worth millions – possibly to finance North Korea’s nuclear and missile programs.

One of the most active North Korean hacking units is the group “Kimsuky”, also known as “Velvet Chollima” or “Thallium”. It is said to have been active since 2012. IT security experts assign them to government agencies in North Korea. The hackers from “Kimsuky” – named after the name of an e-mail account that was previously used by the hackers – specialize in cyber espionage. They mainly attack people from the fields of politics, science and research, and in the past have been targeting internal government documents from South Korea, for example.

Cyber ​​attacks expected in Germany

The Federal Office for the Protection of the Constitution (BfV) is now warning WDR-Information explicitly also in Germany before a cyber campaign by “Kimsuky”. For the first time, the German constitutional protection officers, together with the South Korean domestic intelligence service National Intelligence Service (NIS), created a warning to warn potential attack victims in Germany about the hackers from North Korea.

“The activities are characterized by the misuse of Google’s browser and app store services against researchers on the inner-Korean conflict,” says a warning letter from the BfV. “According to estimates by NIS and BfV, the actor has already targeted Korean and German institutions with spear phishing e-mails in recent years.” It can be assumed that the hackers could also attack think tanks and organizations that deal with diplomacy and security policy in the future.

Attacks via Google’s Chrome web browser

According to the Office for the Protection of the Constitution, the “Kimsuky” hackers’ preferred approach is to use spear phishing, i.e. supposedly legitimate-looking e-mails that are specially tailored to the target person, to get the victim to click on a specific link on a website that looks genuine click and log in. For example goog1e.com instead of google.com, webb.de instead of web.de or gnx.net instead of gmx.net. There is also a warning about attachments in the e-mails with designations such as “New research work”, “Résumé” or “Invoice no. 28629”.

As a new method, the Office for the Protection of the Constitution names the exploitation of the Google Chrome web browser for corresponding attacks in its warning. The victim is then sent an email asking them to install a browser extension, which is in fact a malicious program that is used to steal Gmail account information, i.e. username and password.

Bypassed two-factor authentication

“The aim of the procedure is the unnoticed hijacking of the contents of the victim’s e-mail inbox. The usual security precautions of the e-mail provider, such as two-factor authentication, are circumvented,” warn the German and South Korean domestic intelligence service.

A second attack method used by North Korean hackers is the unnoticed installation of malware on Android smartphones via the Google Play app store, namely by abusing the synchronization function.

The hackers are supposed to proceed something like this: They use the captured account data of their victims and log into their Google account. The Google Play synchronization function is then activated in the account settings. Then the hackers upload a supposedly harmless program to the Google App Store, which is actually malware.

The victim’s Google account is then added as a test participant in an alleged test phase of the app. Thus, the malicious program is automatically installed on the device without any additional action or knowledge of the victim.

Two hackers charged

So far, however, the procedure described has only rarely taken place, according to the intelligence services. The hackers are apparently very careful not to be discovered. If people in Germany fear being among the victims of such an attack from North Korea, they should contact the Federal Office for the Protection of the Constitution immediately.

North Korean cyber attacks on German targets had already been detected in the past. The best-known North Korean hacker group, APT38 or “Lazarus Group”, is said to have tried to spy on armaments companies. The pharmaceutical industry, especially the developers of vaccines for the corona virus, are said to have been the focus of the regime’s hackers in Pyongyang.

In February 2021, the US judiciary indicted three suspected hackers from the North Korean “Lazarus” group in absentia and held them responsible for numerous attacks worldwide. Among other things, they are said to have carried out virtual bank robberies, in which they are said to have stolen up to one billion euros in cryptocurrencies.