When Daniel DePetris, a US-based foreign affairs analyst, in October received an e-mail from the director of the 38 North think tank commissioning an article, it seemed to be business as usual.
It was not.
The sender turned out to be a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.
Illustration: Yusha
Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town.
“I realized it wasn’t legit once I contacted the person with follow-up questions and found out there was, in fact, no request that was made, and that this person was also a target,” DePetris said, referring to Town. “So I figured out pretty quickly this was a widespread campaign.”
The e-mail was part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five targeted individuals and e-mails reviewed by Reuters.
The hacking group, which researchers dubbed “Thallium” or “Kimsuky,” among other names, has long used “spear-phishing” e-mails that trick targets into giving up passwords, or clicking attachments or links that load malware. Now, it also appears to simply ask researchers or other experts to offer opinions or write reports.
According to e-mails reviewed by Reuters, among the issues raised were China’s expected reaction in the event of a new nuclear test, and whether a “quieter” approach to North Korean “aggression” might be warranted.
“The attackers are having a ton of success with this very, very simple method,” Microsoft Threat Intelligence Center member James Elliott said, adding that the new tactic first emerged in January.
“The attackers have completely changed the process,” he added
The center said it had identified “multiple” North Korea experts who have provided information to a Thallium attacker account.
The experts and analysts targeted in the campaign are influential in shaping international public opinion and foreign governments’ policy toward North Korea, the cybersecurity researchers said.
A 2020 report by US government cybersecurity agencies said Thallium has been operating since 2012 and “is most likely tasked by the North Korean regime with a global intelligence gathering mission.”
Thallium has historically targeted government employees, think tanks, academics and human rights organizations, Microsoft said.
“The attackers are getting the information directly from the horse’s mouth, if you will, and they don’t have to sit there and make interpretations because they’re getting it directly from the expert,” Elliot said.
North Korean hackers are well-known for attacks netting millions of US dollars, targeting Sony Pictures over a film seen as insulting to the country’s leader, and stealing data from pharmaceutical and defense companies, foreign governments and others.
The North Korean embassy in London did not respond to a request for comment, but it has denied being involved in cybercrime.
In other attacks, Thallium and other hackers have spent weeks or months developing trust with a target before sending malicious software, BAE Systems Applied Intelligence principal threat intelligence analyst Saher Naumaan said.
However, Microsoft said that the group now also engages with experts in some cases without ever sending malicious files or links even after the experts respond.
This tactic can be quicker than hacking someone’s account and wading through their e-mails, bypasses traditional technical security programs that would scan and flag a message with malicious elements, and allows the spies direct access to the experts’ thinking, Elliot said.
“For us as defenders, it’s really, really hard to stop these e-mails,” he said, adding that in most cases it comes down to the recipient being able to figure it out.
Town said some messages purporting to be from her had used an e-mail address that ended in “.live” rather than her official account, which ends in “.org,” but had copied her full signature line.
In one case, she said that she was involved in a surreal e-mail exchange in which the suspected attacker, posing as her, included her in a reply.
DePetris, a fellow at the Defense Priorities think tank and a columnist for several newspapers, said the e-mails he has received were written as if a researcher were asking for a paper submission or comments on a draft.
“They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry is legitimate,” he said.
About three weeks after receiving the faked e-mail from 38 North, a separate hacker impersonated him, e-mailing other people to look at a draft, DePetris said.
That e-mail, which DePetris shared with Reuters, offers US$300 for reviewing a manuscript about North Korea’s nuclear program and asks for recommendations for other possible reviewers.
Elliot said the hackers never paid anyone for their research or responses, and would never intend to.
Impersonation is a common method for spies around the world, but as North Korea’s isolation has deepened under sanctions and the COVID-19 pandemic, Western intelligence agencies believe Pyongyang has become particularly reliant on cybercampaigns, one security source in Seoul said, speaking on condition of anonymity to discuss intelligence matters.
In a report released in March, a panel of experts that investigates North Korea’s UN sanctions evasions listed Thallium’s efforts as among activities that “constitute espionage intended to inform and assist” the country’s sanctions avoidance.
Town said that in some cases, the attackers had commissioned papers, and analysts had provided full reports or manuscript reviews before realizing what had happened.
DePetris said the hackers asked him about issues he was already working on, including Japan’s response to North Korea’s military activities.
Another e-mail, purporting to be from a reporter from Japan’s Kyodo news agency, asked a 38 North staffer how they thought the war in Ukraine factored in North Korea’s thinking, and posed questions about US, Chinese and Russian policies.
“One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand US policy on the North and where it may be going,” DePetris said.
Taiwan’s semiconductor industry gives it a strategic advantage, but that advantage would be threatened as the US seeks to end Taiwan’s monopoly in the industry and as China grows more assertive, analysts said at a security dialogue last week. While the semiconductor industry is Taiwan’s “silicon shield,” its dominance has been seen by some in the US as “a monopoly,” South Korea’s Sungkyunkwan University academic Kwon Seok-joon said at an event held by the Center for Strategic and International Studies. In addition, Taiwan lacks sufficient energy sources and is vulnerable to natural disasters and geopolitical threats from China, he said.
After reading the article by Hideki Nagayama [English version on same page] published in the Liberty Times (sister newspaper of the Taipei Times) on Wednesday, I decided to write this article in hopes of ever so slightly easing my depression. In August, I visited the National Museum of Ethnology in Osaka, Japan, to attend a seminar. While there, I had the chance to look at the museum’s collections. I felt extreme annoyance at seeing that the museum had classified Taiwanese indigenous peoples as part of China’s ethnic minorities. I kept thinking about how I could make this known, but after returning
What value does the Chinese Nationalist Party (KMT) hold in Taiwan? One might say that it is to defend — or at the very least, maintain — truly “blue” qualities. To be truly “blue” — without impurities, rejecting any “red” influence — is to uphold the ideology consistent with that on which the Republic of China (ROC) was established. The KMT would likely not object to this notion. However, if the current generation of KMT political elites do not understand what it means to be “blue” — or even light blue — their knowledge and bravery are far too lacking
Taipei’s population is estimated to drop below 2.5 million by the end of this month — the only city among the nation’s six special municipalities that has more people moving out than moving in this year. A city that is classified as a special municipality can have three deputy mayors if it has a population of more than 2.5 million people, Article 55 of the Local Government Act (地方制度法) states. To counter the capital’s shrinking population, Taipei Mayor Chiang Wan-an (蔣萬安) held a cross-departmental population policy committee meeting on Wednesday last week to discuss possible solutions. According to Taipei City Government data, Taipei’s