15 December 2022
Daniel DePetris is a foreign affairs expert based in the United States. He received an email in October from Jenny Town, the director of 38 North, asking him to write about North Korea.
But Town did not send the email. The sender was a suspected North Korean spy, cybersecurity researchers said.
Instead of infecting DePetris' computer and stealing important information, the sender appeared to be trying to get his thoughts on North Korean security issues.
Cybersecurity researchers told Reuters news agency the email is part of a new campaign by a suspected North Korean hacking group. They said the group is targeting leading experts in foreign countries to better understand Western policy on North Korea.
The emails seen by Reuters showed issues raised were China's reaction in the event of a new nuclear test and how to deal with North Korean "aggression."
Researchers are calling the hacking group Thallium, or Kimsuky, among other names. The group has long used tricks in emails to gain information or send malware to targets' computers. Now, however, the group appears to simply ask experts to offer opinions or write reports.
James Elliott of the Microsoft Threat Intelligence Center (MSTIC) said the new method of cyberattack first appeared in January. He added that the attackers have a lot of success "with this very, very simple method."
MSTIC said it had identified several experts on North Korea who have provided information to a Thallium attacker account. Elliott added that the attackers are "getting it directly from the expert."
A 2020 report by U.S. government cybersecurity agencies said Thallium has been operating since 2012. And the group is most likely used by the North Korean government to gather intelligence.
Microsoft has found that Thallium has historically targeted government employees. Other targets include those that work in policy and education, and human rights.
Jenny Town of 38 North said that the attackers impersonated her email account using an address that ended in ".live" instead of her official account's ".org". In one email, the suspected attackers included her real email in the exchange.
DePetris said the emails he has received were written as if a researcher were asking for a paper submission or comments on a paper. He said the attackers also included organization logos to make them look real.
In one email, which DePetris shared with Reuters, the attackers offered $300 for his comment on a paper about North Korea's nuclear program and suggestions for other possible experts. Elliot noted that the hackers never paid anyone for their research or answer.
Elliott of Microsoft said the method can be quicker than hacking someone's account and searching through their emails. He said it also goes around traditional technical security programs that would alert the message as having malware. And it permits spies direct access to the experts' thinking.
"For us as defenders, it's really, really hard to stop these emails," he said, adding that in most cases it comes down to the recipient being able to figure it out.
I'm Gregory Stachel.
Josh Smith reported this story for Reuters. Gregory Stachel adapted it for VOA Learning English.
Words in This Story
impersonate – v. to pretend to be (another person)
submission – v. an act of giving a document, proposal, or piece of writing to someone so that it can be considered or approved
logo – n. a symbol that is used to identify a company and that appears on its products
alert – v. to give (someone) important information about a possible problem or danger
figure – v. to understand or find (something, such as a reason) by thinking