No attribution has so far been made

UPDATED The lives of nearly 1,000 North Korean defectors have been put at risk after a cyber-attack on a refugee center in South Korea allowed hackers to access sensitive information, local media reported today.

South Korean officials told the press that an intrusion had taken place on a computer belonging to the Hana Center – a government-run outfit that helps North Korean defectors resettle in the South.

The computer at the center, located in the South Korean province of North Gyeongsang, was found to “be infected with malicious code” following an inspection by South Korea’s Ministry of Unification (MOU) on December 19.

It is believed that a phishing attack was used to deliver malware to the PC, which was immediately disconnected from the center’s network upon discovery.

Names, home addresses, and birthdates of 997 defectors, however, were exposed as a result of the hack, and all those affected had been notified, the MOU told reporters.

There has yet to be any attribution to the source of the attack, and no other malicious activity has been detected in any of the Hana Centers spread throughout the country – a total of 25 that support the approximate 30,000 North Koreans who fled their homes for a new life in the South.

Authorities have been notably hesitant to point blame at North Korea, although the DPRK has been at the front of increasingly advanced hacking campaigns.

Earlier this month, a report from McAfee said that US critical infrastructure was being targeted with malware which bared resemblance to that created by the infamous Lazarus Group – North Korea state-sponsored actors linked to numerous attacks, including the Sony Pictures leak in 2014.

Seoul-based security researcher Simon Choi confirmed to The Daily Swig that malware was delivered to one of the Hana Center’s computers through a fraudulent email masking as a questionnaire about North Korea denuclearization and the country’s future relationship with China.

It is believed that this attack did come from North Korean hackers, potentially the Lazarus group, also known as APT37. 

The revelations come days before the South Korean Defence Ministry warned of another phishing campaign where hackers were posing as government officials in order to target reporters.


This article has been updated to include comment from Simon Choi.


RELATED Global malware campaign attributed to North Korean cyber group