For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
The complete path found in the malware presents some of the Korean strings:
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
|The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.|
|KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA's mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues.|
|The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.|
|Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.|
Some clues also suggest that computers belonging to “The supporters of Korean Unification” (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.
There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:
Clues found by us make it possible to surmise North Korean origin of the attackers. Detailed report on this campaign you can find in our article "The “Kimsuky” Operation: A North Korean APT?".