Kaspersky Lab believes that it has uncovered an active North Korean online espionage campaign that is targeting research institutes in South Korea.
The company believes it is targeting 11 organisations within South Korea and two more in China. These include the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine, and the Supporters of Korean Unification, a non-government organisation.
At the heart of the campaign is a trojan that the research lab has named Kimsuky, presumably after the names "Kimsukyang" and "Kim asdfa", which are associated with email accounts tied to the malware.
According to Kaspersky Lab, Kimsuky gathers information about its victim on first infection, employing the use of keystroke logging, the listings of directories, and stealing documents, among others.
It also attempts to disable security features that are present on the victim's computer, targeting Windows' built-in firewall protection and Windows Security Centre. In particular, it singles out a firewall product made by South Korean vendor AhnLab.
The authors behind Kimsuky maintain control of the malware through email. A number of email accounts have been set up and used to pull data out of the systems as attachments sent to two master email accounts. These master accounts are also used to provide commands back to infected computers.
Kaspersky Lab suspects that the attacks are being conducted by North Korea, and although there is no concrete evidence of this claims, the company does have some anecdotal evidence.
Researchers uncovered a number of IP addresses that the attackers used, all of them belonging to the Jilin Province Network and Liaoning Province Network in China.
"Interestingly, the ISPs providing internet access in these provinces are also believed to maintain lines into North Korea," the company wrote.
"This geo-location supports the likely theory that the attackers behind Kimsuky are based in North Korea."