North Korean hackers target the South's think tanks through blog posts

A North Korean hacking group has been attacking think tanks in the South through malware-laden blog posts. 

In a new campaign, tracked since June 2021, the state-sponsored advanced persistent threat (APT) group has been attempting to plant surveillance and theft-based malware on victim machines. 

On Wednesday, researchers from Cisco Talos said the Kimsuky APT, also known as Thallium or Black Banshee, is responsible for the wave of attacks, in which malicious Blogspot content is being used to lure “South Korea-based think tanks whose research focuses on political, diplomatic, and military topics pertaining to North Korea, China, Russia, and the US.”

Specifically, geopolitical and aerospace organizations appear to be on the APT’s radar. 

Kimsuky has been active since at least 2012. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory (.PDF) on the APT in 2020, noting that the state-sponsored group is tasked by the North Korean government with “global intelligence gathering.” Past victims have been located in South Korea, Japan, and the United States. 

AhnLab says that compensation forms, questionnaires, and research documents attached to emails have been used in the past as phishing lures, and in the campaign detected by Talos, malicious Microsoft Office documents are still a primary attack vector. 


Read More: