The American cybersecurity company Proofpoint has discovered that the Kimsuky hacker group, presumably from North Korea, is attacking Russian scientists, foreign policy experts, and non-governmental organizations that deal with various issues of interaction with the DPRK.
It follows from the company's research that hackers send phishing emails to Korean experts on behalf of well-known experts in the Russian Federation.
Alexey Pavlov, Business Development Director of the center for countering cyberattacks Solar JSOC Rostelecom-Solar, explained that the letters contain a link, upon clicking on which the user sees a window for entering a login and password. This is similar to a Windows pop-up window for password-protected network resources. According to the attackers' plan, the victim must enter his credentials. Since the unsecured HTTP protocol is used, hackers get the credentials in cleartext.
The Proofpoint study provides an example of such a letter in Russian, allegedly on behalf of the Executive director of the National Committee for BRICS Research, Georgy Toloraya. “Mass mailings are being sent from fake addresses opened in my name,” he confirmed, adding that the signature was copied from old letters.
"Positive Technologies specialists recorded Kimsuky attacks using Korean themes in August," says Denis Kuvshinov, head of the company's threat research department.
According to Group-IB experts, over the past year, Kimsuky has been quite active in conducting cyber espionage operations not only against South Korea but also countries that support it.
The group has been carrying out thematic attacks since 2018. In 2020, it attacked Russian military and industrial organizations.
Experts believe that Kimsuky will try to purposefully extract valuable documents from specific officials and employees of research organizations. Kimsuky can connect infected computers to a botnet or steal access to crypto wallets.