North Korean hackers target smartphones, spread disguised malware

Evidence has emerged that a hacking group suspected of having ties to North Korea carried out cyberattacks that disabled individuals’ smartphones and spread disguised malware through their KakaoTalk accounts. This is the first known instance in which the attackers went beyond stealing personal information to cause direct harm by wiping devices and deleting data.

On Nov. 10, the cybersecurity firm Genians released a report saying it had identified new signs of attacks by Kimsuky or APT37, groups believed to be linked to a North Korea–associated threat actor known as Konni.

According to the report, the initial intrusion began with phishing emails impersonating South Korea’s National Tax Service. After infiltrating a victim’s computer, the hackers used Find Hub, Google’s device-theft and loss-management tool, to remotely reset the victim’s smartphone. At the same time, they used the victim’s KakaoTalk account to send malware disguised as a “stress relief program” to the victim’s contacts.

The hackers also deleted key data, including photos, documents and contacts, from smartphones, tablets and personal computers. Targets included North Korean human rights activists and counselors who assist North Korean defectors.

Yeom Heung-yeol, a professor of information security at Soonchunhyang University, said North Korean cyberattacks previously targeted servers, but this case involved a direct attack on the personal devices of specific individuals. He warned the threat could be far more serious if the targets include people with access to sensitive information at government agencies or private companies.


박종민 기자 blick@donga.com