South Korean organizations that conduct research on international affairs, national security and Korean unification are under siege from cyberspies whose attack may have its origins in North Korea.
The attack campaign, which has been dubbed "Kimsuky," involves the use of malware to steal sensitive information from these institutions and has been monitored for the past several months by researchers from antivirus vendor Kaspersky Lab.
The full list of victims remains unknown, but Kaspersky's technical analysis suggests that organizations targeted included: the Sejong Institute, a non-profit think tank that conducts research in the areas of national security, unification, regional issues and international political economy; the Korea Institute for Defense Analyses (KIDA), a research institution whose research focuses on military planning, security and strategy, human resource development, weapon systems, and more; the South Korean Ministry of Unification which works towards the reunification of Korea and promotes inter-Korean dialogue and the Hyundai Merchant Marine, a South Korean logistics company specialized in container shipping.
"Among the organizations we counted, 11 are based in South Korea and two entities reside in China," Dmitry Tarakanov, a malware researcher at Kaspersky Lab, said Wednesday in a blog post.
The malware used in the attack, which is now detected by Kaspersky products as Trojan.Win32.Kimsuky, communicates with attackers through a free Webmail service in Bulgaria called mail.bg. The malware connects to the webmail interface and authenticates with hardcoded credentials for specific mail.bg accounts.
It then checks the inbox folder for messages that have subject lines indicating certain commands from attackers. Those emails can also contain encrypted attachments, which are encrypted malicious executable files that serve as updates or additional components for the malware.
It's not clear how attackers distribute the Kimsuky Trojan horse program to their targets, but spear-phishing is a likely possibility, Tarakanov said.
The malware has several modules used for different functions that include keylogging, collecting directory listings from the infected computers, searching for and stealing documents in the HWP format that are generated by the South Korean Hancom Office Suite software and allowing attackers to remotely control the infected computers.
The remote control module is actually a modified version of TeamViewer, a legitimate remote control application, Tarakanov said.
The malware reports the infection status and sends all of the stolen data back to the attackers using the same webmail-based technique. The data is encrypted and attached to emails which are sent from the mail.bg accounts to hardcoded Hotmail accounts used by the attackers.
On system startup, the malware disables a firewall product developed by AhnLab, a South Korean security software vendor, if present and then turns off the Windows Security Center service in order to prevent the system from alerting users that no firewall is running.
Sign up for Computerworld eNewsletters.