A major espionage campaign has been uncovered in South Korea, raising alarm in the diplomatic community.
Months-long hacking operation uncovered
Cybersecurity experts revealed that hackers linked to North Korea carried out a months-long operation targeting foreign embassies in Seoul. The hackers disguised their attacks as normal diplomatic communication, making them difficult to detect.
The campaign began in March and is still active. At least 19 embassies and foreign ministries were attacked. Investigators believe the hackers are part of the North Korea-linked group called Kimsuky, also known as APT43. This group has a long history of attacking governments, academics, and media groups around the world.
The timing of the attacks makes this operation more worrying. Researchers found the hackers were active during Chinese working hours. The attacks stopped during Chinese holidays, but not Korean holidays. This suggests the group may be working from China or using Chinese helpers.
Fake diplomatic emails trick victims
The hackers used clever tactics to fool their targets. They sent emails that looked like they came from real diplomats and officials. These emails often contained meeting notes, ambassador letters, or invitations to official events. To make the messages more believable, the emails included official signatures, diplomatic words, and even references to real-world events.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
One phishing email pretended to be an invitation from a U.S. Embassy officer to an Independence Day event. Others copied the style of European diplomats or promoted international forums. To make their attacks harder to spot, the hackers created fake documents in many languages, including Korean, English, Persian, Arabic, French, and Russian.
The email attachments were hidden in password-protected ZIP files. When opened, they released a dangerous malware called XenoRAT. This malware is a type of remote access trojan, also called RAT. It gives hackers full control of the victim’s computer.
The attackers could record keystrokes, see files, turn on webcams, and listen through microphones.
Stolen data routed through global platforms
Once the malware was installed, it collected detailed information from the victim’s device. The stolen data was then secretly sent out using popular online platforms. To avoid being caught, the hackers used trusted services like GitHub, Dropbox, and Google Drive to move data. They even relied on local Korean services such as Daum to store and deliver their malicious files.
This technique made it very hard for security teams to detect the theft, since the attackers were hiding their actions within platforms that many people use daily.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
The Kimsuky group, which has been active since at least 2012, is well known for using such methods. It has previously targeted organizations across Asia, Europe, Japan, Russia, and the United States. The group has been accused of stealing sensitive information to support North Korea’s foreign policy and efforts to bypass sanctions.
Officials in the past have noted that North Korean cyber units often operate outside their own borders. Many of them are believed to work from countries such as China and Russia. The latest findings add to the evidence that this campaign, though linked to North Korea, may be carried out from Chinese soil or with help from people based there.
