For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
- The public e-mail server in question was Bulgarian – mail.bg.
- The compilation path string contained Korean hieroglyphs.
The complete path found in the malware presents some of the Korean strings:
D:\rsh\공격\UAC_dll(완성)\Release\test.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb
We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
The Sejong Institute | ||
The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy. | ||
Korea Institute For Defense Analyses (KIDA) | ||
KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA’s mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues. | ||
Ministry of Unification | ||
The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification. | ||
Hyundai Merchant Marine | ||
Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services. |
Some clues also suggest that computers belonging to “The supporters of Korean Unification” (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.
There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:
- Keystroke logging
- Directory listing collection
- HWP document theft
- Remote control download and execution
- Remote control access
Clues found by us make it possible to surmise North Korean origin of the attackers. Detailed report on this campaign you can find in our article “The “Kimsuky” Operation: A North Korean APT?”.
Kimsuky APT: Operation’s possible North Korean links uncovered