Researchers from Kaspersky Labs have detailed what they believe to be a coordinated operation targeting South Korean organizations which is originating in North Korea.
Dubbed the “Kimsuky Campaign,” the spying operation is being described a an APT despite the researcher’s acknowledgement that the malware employed is rather simplistic, and even contains multiple coding errors.
Then again, the attackers may have been counting on the seemingly amateurishness of the malware code to keep from being noticed.
“For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics,” writes Kaspersky’s Dmitry Tarakanov
“It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored,” Tarakanov continued.
The operation, which is suspected to have been running since April, targeted several organizations, including the Korean Institute for Defense Analysis, the Korean Ministry for Unification,and the Sejong Institute, which leads the researchers to suspect that the attackers are North Korean – maybe.
“The targets almost perfectly fall into their sphere of interest. On the other hand, it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin,” Tarakanov said.
Read more here…