North Korean hackers have been identified as the culprits behind a sophisticated phishing campaign that targeted professionals in South Korea’s unification, defense, national security, and foreign affairs sectors. The National Police Agency revealed that over a three-month period, more than 120,000 phishing emails were sent to nearly 18,000 individuals, impersonating South Korea’s Military Counterintelligence Command’s communication during the Martial Law turmoil.
The campaign, which began in November 2024 and lasted until January 2025, involved the distribution of emails with subject lines such as ‘Disclosure of Defense Counterintelligence Command Martial Law Documents.’ Kim Young-woon, head of the agency’s cyber terrorism unit, confirmed North Korea’s involvement and noted a shift in their tactics from hand-crafted emails to automated mass distribution.
Authorities discovered that at least 570 individuals clicked on the phishing emails, potentially exposing sensitive data such as emails and contact lists. The hackers utilized 15 overseas servers and custom-built malware to track real-time metrics, allowing them to monitor user actions such as opening emails, clicking on links, and submitting account credentials.
Furthermore, North Korea reused servers previously identified in other state-backed cyberattacks and conducted searches for North Korean defector data and South Korean military information. The phishing emails were designed to mimic government alerts or official communication, with subject lines ranging from military documents to celebrity concert invitations.
The emails directed recipients to spoofed login portals resembling popular South Korean web services like Naver, Kakao, and Google. The phishing attempts were sophisticated, with email addresses appearing to come from government domains or closely resembling personal contacts. Various spoofing methods were employed to deceive recipients and entice them to enter their credentials.
Out of the 17,744 recipients, 120 individuals fell for the phishing attempt, granting attackers access to their inbox contents and stored contact information. In response to the incident, the South Korean government issued warnings to the public to remain vigilant against phishing threats and emphasized the importance of verifying the legitimacy of emails and websites.
The investigation into the phishing campaign revealed that it was part of a broader pattern in North Korea’s cyber playbook, which includes attacks on cryptocurrency platforms, espionage efforts targeting defense sectors, and global disinformation operations. South Korean authorities reiterated their commitment to responding decisively to cyber threats and pledged enhanced coordination with international partners and cybersecurity agencies.
The disclosure of the case to the media under South Korea’s Public Information Rules on Criminal Investigations was justified as a preventive measure against similar attacks. Ongoing investigations are ongoing, with cybersecurity experts tracking North Korea’s infrastructure and tactics in collaboration with international stakeholders.
In conclusion, the phishing campaign orchestrated by North Korean hackers highlights the persistent and coordinated threat posed by malicious cyber activities. Public vigilance, cooperation, and reporting of suspicious activities are essential in combating such malicious campaigns and strengthening cybersecurity defenses.