malware attacks Reading Time: 4 minutes

Talks of Korean reunification have made me feel very optimistic. The Korean War has had a devastating effect on Koreans on both sides of the heavily guarded border. Families have been separated for decades. The war started before I was born! Since 1953, relations between North Korea and South Korea have been considered to be a de facto stalemate. But despite the decades-long stalemate, the war might not be really truly over until Korea is one country. That possibility makes me happy.

The United States has had a major effect on the Korean War since before the war even began in 1950. When Korea split into North Korea and South Korea, it was South Korea which embraced American influence and troops.

The Trump Administration has been involved in the attempt to reunify Korea. On April 20th, 2018, US President, Donald Trump tweeted: “North Korea has agreed to suspend all nuclear tests and close up a major test site. This is very good news for North Korea and the World – big progress! Look forward to our Summit.” So Trump and North Korea Leader Kim Jong Un planned to meet in Singapore in June to discuss some of the necessary steps to establishing peace. But now things don’t seem to be going too well.

North Korea wasn’t too happy about the military drills American and South Korean soldiers conducted together. North Korea reacted by saying that they may consider pulling out of the summit that’s been planned for June. They also said that they were unwilling to dismantle their nuclear arsenal as early as the United States would like.

“If the Trump Administration is genuinely committed to improving NK-US relations and come out to the NK-US summit, they will receive a deserving response. But if they try to push us into the corner and force only unilateral nuclear abandonment, we will no longer be interested in that kind of talks and will have to reconsider whether we will accept the upcoming NK-US summit,” said Kim Kye-gwan, North Korean First Vice Minister of the Ministry of Foreign Affairs.

Harry Kazianis, a Korean affairs expert from the Center for the National Interest, offered his perspective. “The North Korean pattern is to do provocations whether it is tests of missiles or nukes, ask for negotiations then string us along for months and years. But this time, they are not even getting to that point, they are already causing problems before we have the negotiation.”

This sort of tension seems to be having a palpable effect on cyber-attacks. Comodo Cybersecurity research has discovered a huge spike in malware detections in North Korea. Between May 1st and May 3rd, while American and North Korean governments were exchanging harsh words, about eight times as many malware attacks were detected by Comodo in North Korea than typical levels since the beginning of 2018. A lot of the new malware was malicious Windows activation software, and Ultrasurf, a Chinese internet censorship circumvention tool. There is even heavier handed internet censorship in North Korea.

Ultrasurf was originally developed in 2002, by Chinese dissidents in Silicon Valley. The tool allows users in China to bypass what has been colloquially referred to as the “Great Firewall of China.” Ultrasurf is designed to work in Windows as an EXE executable. It can be used without any installation or changes to the Windows Registry. To remove all traces of Ultrasurf from a PC, a user only has to delete the u.exe file. Cybersecurity product vendors have mixed opinions as to whether or not Ultrasurf is malware. It behaves like some malware in how it redirects internet communications through encryption. That’s a useful cybersecurity function in applications such as VPNs, but some malware also uses stream ciphers in order to evade detection.

Because a lot of the malware readings Comodo received in North Korea were related to Windows activations and Ultrasurf, it appears that ordinary North Koreans are feeling more confident in the wake of Korean reunification talks. They may be less afraid of the North Korean government in their attempt to acquire open internet communications with the rest of the world, even if that requires deploying what some consider to be malware.

By May 5th, the spike in Comodo’s detection disappeared. Then by May 9th, US Secretary of State, Mike Pompeo travelled to North Korea and returned with three American prisoners.

In related news, there appears to be people in either North Korea or South Korea who are targeting North Korean disidents with Android spyware Trojans. Sun Team is the cyber-attack group behind this phenomenon. KakaoTalk, a popular chat app in South Korea, and social networks including Facebook are being used to find North Korean defectors. They are being socially engineered to download Android Trojans with names like “Blood Assistant,” “Pray for North Korea,” “Food Ingredients Info,” “AppLock Free,” and “Fast AppLock.” The latter two are fake security apps. These malware campaigns have been detected as early as October 2016, and even with the possibility of Korean reunification, Sun Team seems to be continuing their attacks.

There are both North Korean and South Korean indications in Sun Team’s activities. Dropbox accounts used as command and control servers by Sun Team have used names of South Korean celebrities and television shows. But they’ve also been found to use words that are exclusive to the North Korean dialect of the Korean language.

Unlike a lot of Android malware, the malware that Sun Team has been deploying seems to simply behave as spyware, reading SMS messages and contact information from the targeted Android devices and sending that sensitive data back to their command and control servers. So, Sun Team is engaging in espionage.

Matters in North Korea and South Korea may continue to get messy, even as South Korean President Moon Jae-In and North Korean Leader Kim Jong Un seem to want to make peace. Comodo will definitely be on the lookout for future malware that targets the two Koreas.