North Korean hackers hijack Google, KakaoTalk accounts to control South Korean phones: Report

SEOUL – North Korean state-sponsored hackers hijacked Google accounts to remotely control and wipe smartphones and tablets held by individuals in South Korea, then exploited their KakaoTalk messenger as a channel to spread malware to their contacts, according to a report on Nov 10.

The attack marks the first confirmed case of a North Korean state-sponsored hacking group compromising Google accounts to gain remote control over smart devices, said South Korean cyber-security firm Genians.

The attack was identified as part of a malware campaign by North Korea’s Konni APT cyber espionage group.

In the first stage of the hacking scenario, hackers infiltrated targeted individuals’ devices through spear-phishing attacks by impersonating South Korea’s tax agency, the National Tax Service.

Then, hackers conducted extensive internal reconnaissance and user information gathering before launching the cyber attack.

Next, hackers compromised victims’ Google accounts and exploited the Google “Find Hub” service, originally intended by Google to protect lost or stolen Android devices, for data-destructive attacks.

However, hackers abused key functions of the service – which allows users to execute a variety of remote commands on registered Android-based devices – to perform location tracking and remotely reset smartphones and tablets.

“This development demonstrates a realistic risk that the feature can be abused within advanced persistent threat (APT) campaigns,” the English-language report read.

More seriously, the North Korean cyber attackers compromised victims’ KakaoTalk accounts, utilising them as primary channels to spread malicious files to their contacts.

The compromising of KakaoTalk accounts was carried out after resetting the victims’ Android devices, disrupting and delaying the normal recovery and use of the targeted smart devices for an extended period.

Specifically, the hackers executed a remote factory-reset command on victims’ Android devices after confirming via Find Hub’s location query that the victims were not using their devices.

The remote reset halted normal device operation, blocked notifications and message alerts from the KakaoTalk messaging app, and effectively prevented victims from seeing alerts and delaying detection and response.

Immediately after the reset, the attacker used the victim’s logged-in KakaoTalk PC version as a second distribution channel to rapidly spread malicious files.

“This campaign is assessed as a typical social-engineering attack that leveraged trust-based communications to precisely exploit the target’s psychological and social context,” the report said.

“In particular, the compromise of messenger accounts and their use as a secondary attack vector increased the attack’s level of customisation while expanding its attack surface and propagation scope, thereby amplifying the threat,” the report added.

It found that among the victims was a specialist counsellor who provides psychological support to North Korean defector students.

Hackers took over and abused the KakaoTalk account of the counsellor on Sept 5 by sending a malicious file disguised as a “stress-relief programme” to North Korean defector students.

When recipients opened the file, it infected their devices.

On Sept 15, a separate similar incident occurred in which malicious files were widely and simultaneously distributed via another victim’s KakaoTalk account.

“This combination of device neutralisation and account-based propagation is unprecedented among previously known state-sponsored APT scenarios and was first identified and analysed in this report,” the company said.

“It demonstrates the attacker’s tactical maturity and advanced evasion strategy, marking a key inflection point in the evolution of APT tactics.” THE KOREA HERALD/ASIA NEWS NETWORK