North Korean cyber spies trick foreign experts into writing research for them

When Daniel Depetris, a US-based foreign policy analyst, received an email from the director of think tank 38 North in October, commissioning an article, everything seemed to be going well.

It was not.

According to those involved and three cybersecurity researchers, the sender was actually a suspected North Korean spy seeking information.

Instead of infecting his computer and stealing sensitive data, as hackers usually do, the sender appeared to be trying to get his thoughts on North Korean security issues by pretending to be Jenny Town, director of 38 North.

“I realized it wasn’t legitimate when I contacted the person with further questions and found out that in fact no request was made and that person was also a target,” Depetris told Reuters, referring to Town. “So I found out pretty quickly that this was a widespread campaign.”

The email is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to cybersecurity experts, five targeted people and emails verified by Reuters.

Computer lab in North Korea
North Korean spies have been known to send emails to targets by divulging passwords or clicking on attachments or links that load malware.
Corbis via Getty Images

The hacker group, which researchers dubbed Thallium or Kimsuky, among others, has long used “spear phishing” emails that trick targets into revealing passwords or clicking on attachments or links that load malware. In the meantime, however, it seems that it is simply a matter of asking researchers or other experts for statements or reports.

The emails verified by Reuters included China’s response in the event of a new nuclear test; and whether a “quieter” approach to North Korean “aggression” might be warranted.

“The attackers are having a lot of success using this very, very simple technique,” said James Elliott of the Microsoft Threat Intelligence Center (MSTIC), adding that the new tactic first surfaced in January. “The attackers completely changed the process.”

MSTIC said it identified “several” North Korean experts who provided information to an account of a thallium attacker.

The experts and analysts targeted by the campaign are influential in shaping international public opinion and foreign governments’ policies towards North Korea, the cybersecurity researchers said.

A 2020 report by the US government’s cybersecurity agencies states that Thallium has been in operation since 2012 and is “most likely to be tasked by the North Korean regime with a global intelligence-gathering mission.”

According to Microsoft, thallium has historically targeted government employees, think tanks, academics, and human rights organizations.

North Korea has denied its involvement in cybercrime.
LightRocket via Getty Images

“The attackers are getting the information right out of the horse’s mouth, if you will, and they don’t have to sit and make interpretations because they’re getting it straight from the expert,” Elliot said.


North Korean hackers are known for multi-million dollar attacks targeting Sony Pictures over a film seen as insulting its leader and stealing data from pharmaceutical and defense companies, foreign governments and others.

North Korea’s embassy in London did not respond to a request for comment but has denied involvement in cybercrime.

In other attacks, Thallium and other hackers have spent weeks or months building trust with a target before sending out malicious software, said Saher Naumaan, principal threat intelligence analyst at BAE Systems Applied Intelligence.

But according to Microsoft, the group is now also working with experts in some cases without ever sending malicious files or links, even after victims have replied.

This tactic can be quicker than hacking into another person’s account and combing through their email, bypassing traditional technical security programs that would scan and flag a message with malicious elements, and giving the spies direct access to the experts’ minds, said Eliot.

“It’s really, really hard for us as defenders to stop these emails,” he said, adding that in most cases what matters is that the recipient can find out.

Kim Jong Un
The attackers commissioned papers, and analysts had provided full reports or manuscript reviews before realizing what had happened.
Getty Images

Town said some messages purporting to be from her had used an email address ending in “.live” rather than her official account, which ended in “.org,” but had copied her full signature line .

In one instance, she said, she was involved in a surreal email exchange in which the alleged attacker, impersonating her, included her in a reply.

DePetris, a defense-priority contributor and columnist for several newspapers, said the emails he received were written as if a researcher were asking for paper submissions or comments on a draft.

“They were quite sophisticated, with think tank logos attached to the correspondence to make it look like the request was legitimate,” he said.

About three weeks after receiving the fake email from 38 North, another hacker impersonated him and emailed other people to look at a draft, Depetris said.

This email, shared by DePetris with Reuters, offers $300 to review a manuscript on North Korea’s nuclear program and solicits recommendations for other potential reviewers. Elliot said the hackers never paid anyone for their research or answers, and never intend to.


Identity theft is a common method for spies around the world, but as North Korea’s isolation has deepened amid sanctions and the pandemic, Western intelligence agencies believe Pyongyang has become particularly dependent on cyber campaigns, a security source in Seoul told Reuters, speaking to the speaking on condition of anonymity on intelligence matters.

In a March 2022 report, a panel of experts investigating North Korea’s circumvention of UN sanctions listed Thallium’s efforts as one of activities that “constitute espionage aimed at informing and assisting the country’s circumvention of sanctions.” “.

Town said in some cases the attackers commissioned papers and analysts provided full reports or manuscript reviews before realizing what happened.

DePetris said the hackers questioned him about issues he was already working on, including Japan’s response to North Korea’s military activities.

Another email, pretending to be a reporter for Japan’s Kyodo News, asked a 38 North staffer how she thought the war in Ukraine would inform North Korea’s thinking, and asked questions about US, Chinese and US politics of Russia.

“One can only guess that the North Koreans are trying to get honest opinions from think tanks to better understand US policy towards the North and its possible direction,” Depetris said. North Korean cyber spies trick foreign experts into writing research for them


USTimeToday is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button