Hostile Cyber Activity Targeted South Korea
This post is also available in: 
עברית (Hebrew)
Are hostile cyber criminals from North Korea targeting their friendly neighbor to the south?
According to a recent report by the Kaspersky Lab information security research team, an active cyber espionage campaign has been discovered, targeting South Korean government organizations. The campaign, known as Kimusky, is limited in scope and highly focused. According to technical analysis the attackers have been targeting 11 South Korean organizations and two Chinese organizations, among them the Sejong Institute, the Korean Institute for Defense Analysis (KIDA), the South Korean Ministry of Unification and Hyundai Merchant Marine.
The earliest activity has been detected on April 3rd 2013, and the first Kimusky trojan was discovered on May 5th 2013. This relatively simple espionage software includes a number of basic code-writing mistakes, and directs communications to and from infected computers through the free mail server mail.bf, operating on a Bulgarian network.
Even though the basic mechanics of the trojan are still unclear, Kaspersky researchers believe that the Kimuski malicious code most likely infected its targets through a focused phishing attack, and that it has the following capabilities: recording keyboard strokes, collecting directory lists, remote control and stealing HWP documents. HWP documents are associated with a South Korean word processing application, part of the Hancom Office Suite used by local government organizations. The attackers use a modified version of the remote control software TeamViewer to create a back door, and through it gain access to any files present on the infected computer.
iHLS – Israel Homeland Security
Kimusky includes malicious code aimed specifically at HWP files, indicating that these files are one of the main targets of the campaign.
Other clues point to North Korea as the source of the attacks. First, the target profiles – South Korean universities – doing research on north-south relations and forming the national security policy for government organizations, the national shipping company, and groups who support the unification of Korea.
Second, the code includes Korean words – some can be translated into English as “attack” or “complete”.
Third, two e-mail addresses – used by bots to send status reports and data on infected systems – [email protected] and [email protected] – are listed under users with Korean names. Although user names can’t be considered proof, the source IP addresses of the attackers suit their profiles: There are 10 IP sources, all within the Jilin and Liaoning provinces in China. The internet providers in these provinces apparently also provide internet access to parts of North Korea.
Another interesting geopolitical aspect of Kimuski is the neutralization of AhnLab information security tools, AhnLab being a South Korean information security company. The Kaspersky Lab products identify and neutralize these threats as Trojan.Win32.Kimusky, and modified TeamViewer components are identified as Trojan.Win32.Patched.ps.
