Hackers Expose Alleged North Korean Government Cyberespionage Operations in Bold Hacktivist Move
In recent months, two unidentified cybersecurity experts gained access to a highly-suspected North Korean government operative’s computer system. Upon discovering the nature of their target, they delved deeper and uncovered evidence linking him to numerous cyberespionage activities attributed to North Korea.
One of the experts, known as Saber, revealed to a leading news outlet that the infiltration persisted for approximately four months before the decision was made to disclose their findings. The duo published an article detailing their discoveries in Phrack, a renowned hacking magazine.
Saber expressed his sentiment that nation-state hackers are operating with ulterior motives, stating, “I hope more of them will get exposed, they deserve to be.” The anonymous expert further highlighted the importance of shedding light on these activities to aid researchers in detecting and mitigating such threats.
Numerous cybersecurity firms and researchers closely monitor the North Korean government’s covert operations, which range from espionage to large-scale crypto heists and wide-ranging initiatives involving North Koreans posing as remote IT workers to fund their nuclear weapons program. This latest infiltration provides a unique perspective into these government-backed groups’ tactics and daily activities.
Saber and his unidentified partner, referred to as cyb0rg, prefer to remain anonymous due to potential retaliation from the North Korean regime or other entities. They cite legendary hacktivist Phineas Fisher, who is known for infiltrating spyware manufacturers such as FinFisher and Hacking Team, as a source of inspiration.
Despite acknowledging that their actions were illegal, Saber argued that exposing the evidence was necessary to protect potential victims and aid researchers in detecting North Korean hackers. He expressed hope that this disclosure would lead to the identification of current victims and ultimately limit the hackers’ access.
Cyb0rg echoed these sentiments, emphasizing the significance of providing concrete artifacts to the community, stating, “Illegal or not, this action has brought concrete artifacts to the community, this is more important.”
Saber suggested that their target, whom they call “Kim,” may be based in China rather than North Korea, due to his absence during Chinese holidays and instances of translating Korean documents into simplified Chinese using Google Translate. Saber opted not to reach out to Kim, expressing doubts about the hacker’s receptiveness or the impact such a conversation might have on someone steeped in propaganda from birth.
Saber declined to disclose the means by which he and cyb0rg gained access to Kim’s system, citing their intention to use similar techniques to penetrate other North Korean systems in the future. During the operation, they discovered evidence of active hacks against South Korean and Taiwanese companies, which they alerted accordingly.
North Korean hackers have a history of targeting cybersecurity professionals, prompting Saber to remain cautious but not unduly concerned about potential reprisals. “Not much can be done about this, definitely being more careful though :),” said Saber.
