North Korean hackers sent more than 120,000 phishing emails to nearly 18,000 individuals over a three-month campaign that impersonated South Korea’s Military Counterintelligence Command’s communication during the Martial Law turmoil, the National Police Agency said Wednesday.
The campaign began in November 2024 and continued through January 2025, targeting professionals in the unification, defense, national security, and foreign affairs sectors. Police confirmed North Korea’s involvement through forensic analysis of the phishing infrastructure, IP addresses, and language patterns tied to past operations.
“Our investigation has confirmed that North Korea was behind the emails distributed on Dec. 11, 2024, bearing the subject line, ‘Disclosure of Defense Counterintelligence Command Martial Law Documents,’” Kim Young-woon, head of the agency’s cyber terrorism unit, said during the press briefing. “Historically, North Korea would send hand-crafted emails impersonating analysts or experts, offering geopolitical forecasts or New Year’s speech analyses,” Kim said. “Now, they’ve automated the process, enabling mass distribution.”
Authorities said at least 570 individuals clicked on the phishing bait and likely exposed sensitive data, including emails and contact lists.
Recycled Infrastructure and Targeted Deception
The hackers used 15 overseas servers rented through foreign providers and deployed custom-built malware capable of tracking real-time metrics. Investigators said the malware that looked to be an info-stealer monitored whether emails were opened, if users clicked on embedded links, and whether they submitted account credentials.
North Korea reused servers previously identified in earlier state-backed cyberattacks. The infrastructure also showed evidence of searches for North Korean defector data and South Korean military information. Browser logs included North Korean dialects, strengthening attribution.
Each phishing email mimicked government alerts or official communication. Subject lines included fake military documents, New Year’s policy analyses, and even invitations to concerts by South Korean celebrities. Others posed as tax refunds, horoscope readings, or health advisories.
Deceptive Links Spread Under the Guise of Martial Law Deployment
The emails directed users to spoofed login portals that closely resembled major South Korean web services like Naver, Kakao, and even Google. Domains included subtle misspellings or character swaps—such as googlauth.com, naver-auth.com, or baernin.com.
Many email addresses appeared to come from government domains or closely resembled personal contacts. Spoofing methods included:
-
Adding terms like
-news,-noreply, or-reportto legitimate domains. -
Mimicking friends’ or colleagues’ addresses with subtle variations (e.g., adding a single letter).
-
Using lookalike domain names with common misspellings (
masrn, orco.kraltered toco.kro.kr).
Out of the 17,744 recipients, 120 individuals fell for the phishing attempt, entering their credentials and granting attackers access to inbox contents and stored contact information.
Warnings to the Public
The South Korean government urged the public to remain vigilant against phishing threats, especially those disguised as official communication. Authorities advised against opening unfamiliar emails, clicking suspicious links, or downloading unverified attachments.
“Never input your ID or password without verifying the legitimacy of the request,” the police warned. “Look carefully at the email sender and website domain. Even minor differences can signal fraud.”
Officials also recommended regularly reviewing account login histories and enabling multi-factor authentication wherever possible.
A Coordinated, Persistent Threat
The investigation showed that the phishing campaign was both well-organized and sustained, reflecting a broader pattern in North Korea’s cyber playbook. Previous incidents linked to Pyongyang include attacks on cryptocurrency platforms, espionage efforts targeting defense sectors, and global disinformation operations.
South Korean authorities reiterated their readiness to respond decisively to any form of cyber aggression. The police pledged enhanced coordination with international partners and local cybersecurity agencies.
“We are mobilizing our full law enforcement capability,” the Police chief said. “Cyberthreats, especially those linked to hostile nations, will be met with swift and strong responses.”
Public Disclosure Justified
Under South Korea’s Public Information Rules on Criminal Investigations, the case was disclosed to the media to help prevent similar attacks. The government cited two justifications:
-
The need to prevent recurrence by informing the public of phishing tactics.
-
The importance of limiting the spread of harm by raising awareness.
This disclosure falls in line with past efforts to inform citizens of advanced cyber threats, particularly those involving national security and public institutions.
Ongoing Investigations
The investigation remains open as cybersecurity experts continue tracking North Korea’s infrastructure and tactics. South Korea’s Cyber Terror Response Division is working closely with the Korea Internet & Security Agency (KISA) and other international stakeholders.
Police urged anyone who suspects they received a spoofed message to report it immediately to national authorities and avoid interacting with the email in any way.
“Cybersecurity is a collective effort,” said the Police said. “Every report helps us build a stronger defense against these malicious campaigns.”
