North Korea exploited public interest in the deadly crowd crush in Seoul in October to conduct cyber attacks on South Korean targets, Google said on Thursday.
According to a report by the company’s Threat Analysis Group (TAG), the North Korean hacking organization APT37 embedded a malicious code in a Microsoft Word file that resembled a report from South Korea’s Central Disaster Management Headquarters (CDMH) on the Oct. 29 crowd crush, in which 158 people died.
The document followed the format of official CDMH reports and had accurate details of the Halloween celebration tragedy in Itaewon, central Seoul, such as casualty figures, emergency response measures, and other details of the disaster.
The suspicious document was submitted to TAG by multiple users in South Korea via the cybersecurity services website VirusTotal on Oct. 31. VirusTotal is owned by Chronicle, a subsidiary of Google.
TAG said the document was intentionally designed as a CDMH document to tempt users to open it.
“The [Itaewon] incident was widely reported on, and the lure takes advantage of widespread public interest in the accident,” the TAG report said.
Pyongyang did not offer its condolences over the Itaewon tragedy, instead firing several missiles during Seoul’s week-long period of national mourning.
TAG said that they had not yet uncovered the malware that was delivered in APT37’s latest hacking campaign, or what its purpose was.
According to TAG, the fake disaster report was used by the North Koreans as a vehicle for malware using a previously-known Internet Explorer vulnerability, called the 0-day exploit.
“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content,” TAG wrote, explaining that “because [Microsoft] Office renders this HTML content using Internet Explorer (IE), this technique has widely been used to distribute IE exploits via Office files since 2017.”
TAG noted that “this is not the first time APT37 has used Internet Explorer 0-day exploits to target users,” adding that the group “has historically focused their targeting on South Korean users, North Korean defectors, policymakers, journalists and human rights activists.”
The same North Korean group, which has been active since 2012, was behind other malicious codes delivered to South Korean users such as ROKRAT, BLUELIGHT, and DOLPHIN, according to TAG.
TAG said they reported the latest Internet Explorer vulnerability to Microsoft on Oct. 31 and that the vulnerability was fixed on Nov. 8.
“TAG is committed to sharing research to raise awareness on bad actors like APT37 within the security community, and for companies and individuals that may be targeted,” the researchers said. “By improving understanding of the tactics and techniques of these types of actors, we hope to strengthen protections across the ecosystem.”
While the purpose of the latest hacking campaign is not yet clear, the North has ramped up its cyber heists in the last two years, with the regime accused of stealing as much as $1 billion worth of cryptocurrencies and hard currency through cyber heists to fund its nuclear and missile programs, according to U.S. Secretary of Homeland Security Alejandro Mayorkas in October.
BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]