North Korean cyber spies deploy new tactic: Tricking foreign experts into writing research for them

SEOUL: When Daniel DePetris, a United States-based foreign affairs analyst, received an email in October from the director of the 38 North think-tank commissioning an article, it seemed to be business as usual.

It was not.

The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.

Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town.

“I realised it wasn’t legit once I contacted the person with follow-up questions and found out there was, in fact, no request that was made, and that this person was also a target,” DePetris told Reuters, referring to Town. “So I figured out pretty quickly this was a widespread campaign.”

The email is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five targeted individuals and emails reviewed by Reuters.

The hacking group, which researchers dubbed Thallium or Kimsuky, among other names, has long used “spear-phishing” emails that trick targets into giving up passwords or clicking attachments or links that load malware. Now, however, it also appears to simply ask researchers or other experts to offer opinions or write reports.

According to emails reviewed by Reuters, among the other issues raised were China’s reaction in the event of a new nuclear test; and whether a “quieter” approach to North Korean “aggression” might be warranted.

“The attackers are having a ton of success with this very, very simple method,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first emerged in January. “The attackers have completely changed the process.”

MSTIC said it had identified “multiple” North Korea experts who have provided information to a Thallium attacker account.

The experts and analysts targeted in the campaign are influential in shaping international public opinion and foreign governments’ policies toward North Korea, the cybersecurity researchers said.

A 2020 report by US government cybersecurity agencies said that Thallium has been operating since 2012 and “is most likely tasked by the North Korean regime with a global intelligence gathering mission”.

Thallium has historically targeted government employees, think-tanks, academics and human rights organisations, according to Microsoft.

“The attackers are getting the information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they’re getting it directly from the expert,” Elliot said.