North Korean hackers behind ‘sophisticated’ effort to elicit views of experts

North KoreaA NOTORIOUS NORTH KOREAN hacker group is believed to be behind a “sophisticated” effort to elicit the views of international experts on issues that are of concern to Pyongyang, according to an investigation by Reuters. The news agency said its reporters had managed to uncover this previously unreported campaign with the help of cybersecurity experts and five individuals who had been targeted by the North Korean hackers.

The North Korean hacker group that is alleged to be behind this elicitation campaign is known among cybersecurity experts as Thallium, or Kimsuky. It has been active since at least 2012 and has orchestrated intensive “spear-phishing” attacks against international targets. Similarly to other hacker groups that have been active in the past decade, Thallium’s operations have centered on tricking its targets to download malware on their personal electronic devices, or to share sensitive information, including passwords.

Lately, however, the group has changed its tactics in striking ways, according to Reuters. Instead of trying to steal secrets, it has been involved in a campaign aimed at eliciting the views of Western experts on North Korean affairs. It has been doing so by directly contacting these experts with requests to review policy papers, or by commissioning opinion pieces on various aspects of North Korean politics, economy and society. The requests are camouflaged to appear as originating from respected think-tanks, universities or consultancy firms.

Since January of this year, when the first experts began to be contacted, “multiple” individuals have fallen victim to this elicitation campaign, according to experts at the Microsoft Threat Intelligence Center (MSTIC). They include policy experts working for Western governments, think-tank and university researchers, as well as human-rights campaigners. They have all fallen victim to “sophisticated” requests that use polished language and appear legitimate, according to Reuters.

In most cases, the elicitation emails promise a payment of $300.00 in return for reviewing a manuscript, authoring a short opinion piece, or recommending another expert who may be able to provide these services. However, none of the individuals who proceeded to provide these services have ever received any funds. Cybersecurity experts, who reviewed the elicitation campaign, told Reuters that the hackers never intended to provide any payments to targets.

Author: Joseph Fitsanakis | Date: 13 August 2022 | Permalink

2 Responses to North Korean hackers behind ‘sophisticated’ effort to elicit views of experts

  1. Nicholas Dujmovic says:

    This is odd. Do they really want to know what experts think of their country?
    But the unforgiveable part is not getting paid.

  2. Pete says:

    I think, what I generically call North Korea’s “NSA” shifting from thoroughly illegal “spear-phishing” malware attacks to a merely frowned upon journalistic tactic of eliciting information then failing to pay, of itself, falls short of a being a major international matter.

    However the actual methods and systems to detect these North Korean sigint/hacking intelligence gathering strategies are more sensitive.

    A knowledge of Korean and sigint would point to South Korea’s (SK’s) NSA counter-intelligence involvement. Then SK NSA would pass on a covert version of what it found to its liaison partners eg. the US NSA. While the SK and/or US NSAs would also pass on overt versions to consultancies and media organizations.

    Passing to consultancies and media organizations serves the important NSA functions of enhancing the information/cyber security and awareness of Western corporations, academics and the public. While the publicity aspect also serves the Western alliance objective of criticizing the North Korean regime.

We welcome informed comments and corrections. Comments attacking or deriding the author(s), instead of addressing the content of articles, will NOT be approved for publication.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: