More than a dozen online malls have been targeted by ransomware, according to South Korean police.
Police have reported for the first time that North Korean state-sponsored threat actors have employed ransomware against companies and organizations in neighboring South Korea.
The South China Morning Post reports that the South Korean National Police Agency reported that threat actors targeted at least 893 foreign policy experts in the country in an attempt to steal their identity information and email lists.
Phishing emails were sent primarily to experts and professors at think tanks and universities.
North Korean Ransomware
The assailants would pose as a secretary from the office of Tae Yong-ho, chairman of the ruling People’s Power Party, or a member of the Korea National Diplomatic Academy. The emails, whose distribution began as early as April 2022, contained either link to malicious websites or malicious attachments.
According to the findings of the law enforcement organization, at least 49 individuals fell for the scam and granted the attackers access to their email accounts and personal information.
This was sufficient to launch ransomware attacks against at least 13 companies (mostly online shopping malls), with two companies already paying approximately 2.5 million won (just under $2,000) to regain access to their systems.
Police claim that the threat actors used 326 “detour” servers in 26 countries to cover their tracks in their quest to identify the perpetrators of these attacks.
However, they believe that the group most likely attacked Korea Hydro & Nuclear Power in 2014.
The IP addresses used in the attack, their attempts to get the targets to sign into foreign websites, the use of North Korean diction, and the choice of targets are the primary indicators that North Koreans are behind this campaign (diplomacy experts, inter-Korean unification thinkers, national security and defense experts).