North Korean Hackers Target Universities and Researchers

By Ava McKinneyOnline Safety

North Korean Hackers Target Universities and Researchers

The hacker group Kimsuky, linked to North Korea, has once again come into the spotlight following a series of attacks targeting university staff, researchers, and professors. According to cybersecurity company Resilience, these cyberattacks are aimed at gathering intelligence information.

Resilience experts report that the group’s activity was detected at the end of July this year due to an operational security mistake made by the hackers. Kimsuky, also known as APT43, ARCHIPELAGO, and other names, is one of several cyber units operating under the direction of the North Korean government and military structures.

Kimsuky actively uses phishing attacks to deliver specialized tools that enable reconnaissance, data theft, and the establishment of persistent remote access to infected devices. One of the hallmarks of these attacks is the use of compromised servers to deploy a disguised version of the Green Dinosaur web shell. This tool is used to perform file operations on compromised devices.

Experts note that access gained through Green Dinosaur allows the hackers to upload phishing pages that mimic legitimate portals such as Naver and university websites, including Dongduk University, Korea University, and Yonsei University. These fake pages are designed to steal user credentials.

After a victim enters their information, they are redirected to another site hosting a PDF document, supposedly an invitation to a forum at the Asan Institute for Policy Studies. Resilience researchers also discovered that Kimsuky’s phishing sites use a tool for mass collection of Naver credentials, which works as a proxy and steals cookies and passwords from visitors.

Additionally, the analysis revealed that Kimsuky uses a specially developed PHPMailer tool called SendMail. This tool is used to send phishing emails from Gmail and Daum Mail accounts.

To protect against such attacks, experts recommend enabling multi-factor authentication and carefully checking URLs before entering any information.

Leave a Reply