The Peninsula

Malware Attacks on Korean News Websites

By Chad 0’Carroll

Last week The Daily NK, an online newspaper dedicated to covering North Korea from a human rights perspective, suffered a malware attack.  It was by no means the first malware infection of the site (936 pages infected in the last 90 days alone, according to Google), but comes following a spate of infections on other Korea related news websites. It also occurred following growing reports of hacking attempts against specific members of the North Korea watcher community.  So what exactly is going on?  Are Korea watchers being specifically targeted, or should these attacks be seen in a broader context?

Malware is malicious code that is installed onto websites by a third party.  Without adequate protection, visitors to infected sites obliviously download the malicious code which can in turn give third parties unauthorized access to computer systems.  But it is important to note that “malware” is a catchall term, covering malicious code that includes Trojan horses, spyware, and computer viruses.  As a result, the effect of malware infections can vary significantly.  Sometimes malware is used to install a script which turns the infected computer into a “bot”, which can be used to take part in a distributed denial of service attack (DDS).  But oftentimes the malware’s purpose is a lot more dangerous.

According to this Google report, the malware found recently on the Daily NK site took the form of a Trojan horse, a malicious script which unlike a virus, does not spread by itself. Once activated, Trojan scripts can create backdoor access on a computer that can give the creator access to confidential or personal information. Functions of these scripts can include stealing your passwords, viewing your screen as you are working, and even broadcasting all that one types to another location.  With the Daily NK frequented by many serious North Korea watchers and human rights activists, it is easy to understand why pro-North Korea actors or entities might be interested in obtaining back-door entry to the computer systems of the Daily NK audience profile.  After all, the type of information that could be sourced through any script installed on a U.S. government employee or NGO worker’s computer could be extremely useful for the North Korean state.

The Daily NK have reported that they are aware that the source of the malware infections is China, something also corroborated by Google’s own site report, which says the same scripts can be found on digtaobao.com and 10086chongzhi.com, two Chinese registered domains that presently contain no website content.  But just because a script is associated with China, we cannot assume that it was necessarily coded by Chinese hackers.  Martyn Williams of NK Tech explains…

“The “evidence” usually cited is an IP-address, but herein lies the problem. Malware and other hacking attempts are usually routed through multiple IP addresses to avoid detection and sometimes fake the address, so it’s possible the real culprits are elsewhere but savvy enough to make their attack look like it came from a North Korean address. After all, North Korea is a very convenient and believable culprit.”

Likewise, much of North Korea’s own internet infrastructure goes through China, and there are reports that there are batches of Chinese IP addresses owned specifically by North Korean entities.  And although Google has said that the Daily NK malware takes the form of a Trojan horse and we know that it is going through China, we don’t know what the scripts that have infected the site were actually designed to do.

Looking at the broader context, it is extremely important to point out that malware is extremely common in South Korea.  In summer 2010, South Korea had the highest infection rates of malware in the world.  While the government has done much to improve this situation, a quick glance of online news resources in South Korea shows the following sites to have encountered malware infections in the past 90 days:

• The Korea Times
• The Hankyroreh
• The Kyunghang Shinmun
• The Pusan Ilbo
• Oh My News
• Hankyung
• Pressian
• Imaeil

Of a total of 22 major news websites in South Korea, a remarkable 36% are thus somehow infected with malware. In this light, it is quite possible that the Daily NK infection should just be seen as forming part of this trend, in which Korean websites, for whatever reason, continue to remain a hotbed for malware activity. But without having the actual malicious scripts to compare (and an IT security expert to analyze them), there is no way of knowing if the Daily NK code construes either a specific threat to the Korea watcher community or instead is something more akin to the code found on these other news sites.  However, when considering other factors, dismissing Daily NK malware as being merely reflective of the high level of infection in South Korea could be risky.

As Curtis Melvin has been chronicling over the past year (here, here, and here), there has been a strikingly determined campaign to infect the computers of specific individuals working on Korea policy.  In the course of writing this piece, one member of KEI staff even received another example of these emails.  Like the Daily NK malware, this approach has also involved the use of a Trojan horse mechanism, with individuals contracting infections after opening contaminated attachments in emails. These emails are often crafted specifically for the characteristics of seasoned North Korea watchers, inviting recipients to take part in North Korea related interviews, or to read North Korea related manuscripts and texts. Often, the senders portray themselves as being media representatives, fellow North Korea analysts, or even Kim Il-Sung apologists.  With the text of the emails being relatively convincing, it is quite likely that a number of infections may have already taken place, despite warnings posted on Mr. Melvin’s site.  But exactly what the code does when it has infected a user’s computer is yet unknown.  However, the personally tailored approach of the emails suggests that a) there is a list of specific people the senders are trying to compromise and b) that accessing the recipient’s computer and files is probably the priority.  But is this likely a lone individual or something more sinister? IT Security expert Alexander Sverdlov of Nopasara.com explained:

“The only case when you could suspect an individual attacking you with no organization behind them is if you had a disgruntled system administrator / IT person who had to be fired, or if a highly trained individual is for some reason offended by what you do to them or someone else. In all other cases you can bet that an attack is funded / backed by a large organization / corporation / government. These attacks are very expensive; they are highly risky for their implementers and thus their high price. Not everyone can afford to hire a hacker to individually target you and / or your organization.”

If the aim is to get access to as many North Korea watcher’s computers as possible, it would be entirely consistent for the programmers of this malicious email code to want to infect sites like the Daily NK, too.  Receiving hundreds of visitors per day, infecting the Daily NK would easily increase the likelihood that the code’s programmers could obtain sensitive information related to defectors, human rights NGOs, and more.  What’s more, North Korea has already made its disdain for Daily NK clear, with a post in 2010 showing KCNA’s contempt of the South Korean based website.  But does all this suggest tacit North Korean involvement?

Despite all the circumstantial evidence, it is difficult to draw conclusions about who or what is responsible for the malware on Daily NK and the malicious emails that have been doing the rounds.  Given its paranoia and extensive spying networks, there is undoubtedly motivation for North Korea to want to bolster intelligence gathering capacities, and these approaches could definitely help to that end.  For this reason, North Korea is routinely blamed for masterminding cyber-attacks in South Korea, often though without much evidence.  But it is also important to remember that cyber attacks occur worldwide ordinarily, and Trojan horses are relatively easy to code. As such, there is always the potential that both the emails and malware form part of this wider pattern, or that they are the work of lone individuals, perhaps sympathetic to the North Korean government.  Nevertheless, neither of these explanations should give anyone much confidence, because even if it is not North Korea that is trying to hack your computer, then there is still cause for concern.  In short, be extremely careful when opening email attachments from strangers or visiting websites related to the Koreas.  If there is a sign of malware, steer clear.

Chad 0’Carroll is the Director of Communications for the Korea Economic Institute. The views represented here are his own.