Seoul, South Korea. Image: Unsplash+
Seoul, South Korea. Image: Unsplash+

News media, foreign affairs experts are targets of North Korean group’s latest campaign

North Korean state hackers are targeting media organizations and high-profile academics in a new espionage campaign, according to a new report released this week.

The goal of these attacks, attributed by researchers at SentinelLabs to a hacker group known as ScarCruft or APT37, is to “gather strategic intelligence” that can “contribute to North Korea’s decision-making processes.”

ScarCruft is a suspected North Korean state-sponsored group with a history of attacks against high-value individuals as well as public and private entities, primarily in South Korea.

In the latest campaign in December, the group aimed at experts in North Korean affairs from South Korea’s academic sector, as well as a news organization focused on North Korea, SentinelLabs said.

This allows the threat actor to “gain a better understanding of how the international community perceives developments in North Korea,” according to the report.

Some of the victims of the December campaign were also attacked approximately one month earlier, in November. “This speaks to the adversary’s persistence and adaptability in pursuing its goals,” researchers said.

Infection chain

During the attacks, the hackers infected their victims with RokRAT malware, delivered through phishing emails often disguised as scientific reports. RokRAT is a custom-written backdoor associated with the group, allowing its operators “to effectively conduct surveillance on targeted entities."

One of the phishing emails discovered by researchers impersonated the North Korea Research Institute and were sent to an expert in North Korean affairs.

The email contained an attached archive file with nine files claiming to be presentation materials from a fabricated event — a human rights expert discussion meeting — relevant to the victim.

To make the phishing email current and therefore more credible, the sender stated that the meeting occurred on the same date the email was sent.

All files in the archive looked similar — they had names related to human rights in North Korea and started with a number. Among the nine files, two were malicious and infected their victims with RokRAT.

The hackers used public cloud services, such as pCloud and Yandex Cloud, for command-and-control purposes, disguising malicious communication as legitimate network traffic.

Future plans

SentinelLabs said it also discovered other malware developed by ScarCruft that is currently in the planning and testing phases and will likely be deployed by the group in future campaigns. The phishing document used in this attack was disguised as a research report on Kimsuky, another suspected North Korean hacker group.

Considering ScarCruft’s tendency to use decoy documents relevant to targeted individuals, researchers suspect that the planned campaigns will likely attack threat researchers, cyber policy organizations, and other cybersecurity professionals.

“ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies,” researchers said. “This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches.”

ScarCruft has previously been linked to Kimsuky. Earlier in August, both groups even targeted the same victim — a major missile manufacturer in Russia.

In ScarCruft's latest attack, researchers observed another similarity between the two. One of the decoy documents used by the hackers contained metadata that identified the document’s creator by the pseudonym “bandi.” The same name was previously used by Kimsuky.

“While the overlap in pseudonym use does not represent a strong link between the groups from a technical perspective, it is still indicative of the suspected relations between them,” researchers said.

In the context of North Korea, the term “bandi” is known as the pseudonym of a suspected North Korean author known for publishing dissident writing. It also means “firefly” in Korean.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.