North Korean hackers go on phishing expedition before Trump-Kim summit

Ahead of this week's summit, North Korean hackers are targeting Korean speakers with spearphishing emails.

As President Donald Trump and North Korea’s Kim Jong Un prepare to meet again, cybersecurity researchers say Pyongyang-linked hackers are targeting Korean speakers with spearphishing emails tied to the diplomatic summit.

The suspected North Korean hackers sent out a lure document last week purporting to be from a non-government organization, according to South Korean company ESTsecurity. The invitation from the “Korea-U.S. Friendship Society” invites recipients to a meeting in the South Korean capital of Seoul to analyze the results of the Trump-Kim summit, which begins Wednesday.

Trump and Kim will discuss North Korea’s nuclear program, which, along with hacking tools, is a key pillar of the regime’s foreign policy.

The spearphishing document was formatted in a South Korean word-processing application and came with malicious code associated with North Korean operatives, said ESTsecurity, a company that multiple independent researchers say does good analytical work.


Cybersecurity company CrowdStrike has seen that same document lure and believes it comes from a North Korea-linked hacking group it calls Velvet Chollima, said Adam Meyers, the company’s vice president of intelligence.

It is unclear whom, exactly, the spearphishing targeted; the ESTsecurity report did not say. However, hackers associated with the North Korean government have a history of going after analysts who follow Korean affairs, including through lures related to Korean unification. Those types of decoy documents are “part of their continuing intelligence collection,” Meyers told CyberScoop.

The targeting makes sense, said former U.S. intelligence officer Jason Kichen, as “threat actors take advantage of the excitement and the attention surrounding these events, of everyone’s desire to ensure things go smoothly and ultimately successfully.”

“With those drivers, spearphishing lures, for example, can be crafted to tug at those feelings,” added Kichen, now a vice president at cybersecurity company eSentire.

Last week’s lure is also in keeping with the tendency of North Korean hackers to stay active in and around high-profile diplomatic events. Ahead of the previous Trump-Kim summit in Singapore in June 2018, North Korean hackers reportedly breached companies in Asia, Europe, and the United States. Days after the summit, U.S. officials advised industry on malware samples they tied to the North Korean government.


“I saw a spike in malware around the previous Trump-Kim summit, and I wouldn’t be surprised to see another one,” Kenneth Geers, an Atlantic Council fellow, told CyberScoop.

When Geers was a senior research scientist at cybersecurity company Comodo, he found big jumps in malware deployed around the Singapore summit. He said that activity could have been everything from nation-states collecting intelligence to cybercriminals.

“All geopolitical events are magnets for malware,” Geers said. “There would be well over a dozen nations conducting cyber espionage against the second summit in Vietnam.”

Kichen echoed that point, telling CyberScoop: “There’s no delineation between which threat actor takes advantage of which high profile diplomatic event. It’s an arena where everyone is expected to be playing against each other at the same time.”

In addition to North Korea, Kichen added, “many other nations would have intelligence collection requirements around this event, and I’d expect them to be no more or less active in looking for ways to exploit it.”


A National Security Council spokesperson declined to comment when asked if cybersecurity will be on the agenda at this week’s summit.

For Meyers, the choice of Vietnam for the summit wasn’t random. The Southeast Asian country has made economic strides that North Korea would like to emulate, he said. That is part of a broader forecast that CrowdStrike has made that North Korea will use hacking to steal data from international corporations in an effort to meet the regime’s economic goals.

“We believe that it’s likely that [North Korea is] going to look around to see how others have [made economic progress],” Meyers added. “They’re going to look at China; they’re going to look at Vietnam.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts