North Korean defectors, along with those who help them, are being targeted by a hacking operation which aims to infect their devices with trojan malware for the purposes of spying.The campaign apparently uses social networks and chat applications to directly interact with selected victims in South Korea and plant spyware onto their smartphones.
Researchers at McAfee have attributed the attacks to an operation they’ve dubbed Sun Team, named after deleted files used to help carry out the attacks. The attacks used applications including KakaoTalk – a popular chat app in South Korea – and popular social media services including Facebook to aid efforts of distributing trojan malware to the Android devices of victims.
If successful in being dropped onto a device, the malware uses a phishing attack to trick the victim into turning on the accessibility settings they require to gain full control of the infected device. Once successfully installed on the target device, the trojan uses cloud services including Dropbox, Google and Yandex as a control server, as well as a hub for uploading stolen data and receiving commands.
Not much is known about the mysterious group behind the attacks, but researchers at McAfee have speculated that they must be very familiar with the Korean language and South Korean culture, because names of the account names associated with their cloud accounts are from Korean television – including the name of soap characters and reality show contestants.
Researchers also note that one word found associated with the attackers – ‘blood type’ – is used in a way associated with North Korean spelling, rather than in the South Korean equivalent. North Korean IP test log files were also discovered on some Android accounts used to spread the malware. However, McAfee notes that this isn’t enough to draw any conclusions about the location of the attackers because “Wi-Fi was on so we cannot exclude the possibility that the IP address is private”
[Read full ZDNet article]