Seoul police are investigating a phishing email campaign orchestrated by the North Korean hacking group “Kimsuky,” which impersonated Seoul city officials. The group, known internationally for cyberattacks attributed to North Korea, reportedly sent fraudulent emails to unsuspecting recipients.
On February 13, the Seoul Metropolitan Police Agency’s Cyber Security Division conducted a raid on Seoul City Hall, securing email accounts suspected to have been used by North Korean hackers.
The investigation follows reports that some citizen accounts (@citizen.seoul.kr)—which can be created via the Seoul city website—were compromised and used to distribute phishing emails last month.
The fraudulent emails reportedly contained malware-infected files disguised as an inquiry about the feasibility of holding a remote meeting regarding North Korean defector leaflet distribution. Investigators traced the IP addresses used in the hacking attempt and found them to be identical to those used in previous cybercrimes linked to Kimsuky.
Kimsuky first gained notoriety in 2014 after hacking Korea Hydro & Nuclear Power, leaking nuclear reactor blueprints, and threatening to halt operations. The group has since engaged in multiple cyberattacks, including impersonating South Korea’s National Security Office in 2016 and sending phishing emails under the name of former lawmaker and North Korean defector Thae Yong-ho in 2022.
Due to the nature of phishing emails, where the true origin of the sender is often concealed, authorities are proceeding cautiously. A police official stated, “We cannot immediately conclude that North Korea is responsible solely based on matching IP addresses. We are conducting a detailed analysis of the compromised email accounts.”
Meanwhile, Seoul city officials have issued a public warning regarding the hacking incident, urging citizens not to open emails from unauthorized accounts. The city emphasized that official communications are sent exclusively from @seoul.go.kr accounts and that emails from ‘@citizen.seoul.kr’ are not used for official business. Citizens are advised to delete suspicious emails and attachments immediately without opening them.
BY CHULWOONG KIM, YOUNGNAM KIM [kim.youngnam@koreadaily.com]
