The North Korean hacking group Kimsuky has sparked controversy by reportedly developing a phishing site disguised as the Korea University portal. Upon investigation, this phishing site was found to be an exact replica of the actual Korea University portal page (original site: https://portal.korea.ac.kr/).
Stolen Information of Korea University Students Transmitted to the Hacker’s Server
An analysis of the HTML revealed that the website is fundamentally built on a Windows server, utilizing the XAMPP framework, which is commonly used by beginners and students. While the basic functionalities of the portal, such as email, course registration, and library services, redirected to the legitimate Korea University portal, the login window was designed to capture credentials. When a user entered their ID and password, the credentials were sent to the hacker in a URI format like username=xxxx&password=yyyy. This is a classic phishing tactic, and the stolen Korea University account information was stored on a specific URI path on the hacker’s server.
Remarkably, the server contained phishing sites for multiple universities, not just Korea University. For instance, while examining the directory listings, a phishing site for the Sungkyunkwan University portal was also discovered.
Analysis of the Domain and IP Address of the Korea University Phishing Site
Research by Criminal IP into the IP address mapped to the phishing domain revealed that it is hosted by “UCLOUD INFORMATION TECHNOLOGY HK LIMITED,” a Chinese cloud service provider (https://www.ucloud.cn). Although the cloud service provider is based in China, the IP address is assigned to the South Korean region, indicating that the server is physically located in South Korea.
Hacker Targeting Educational Institutions, Suspected to be North Korean Kimsuky
The primary target of this phishing site is major university portals in South Korea. These portals are not only accessed by undergraduates but also by graduate researchers and professors, who may be involved in critical national defense or government-related projects. These individuals could be the true targets of hackers.
Given the ongoing issues with North Korean hacking, South Korean national and public institution servers have been continually strengthening their security with various solutions to enhance detection capabilities. If this phishing site is indeed the work of Kimsuky and linked to North Korea, targeting institutions that share state information might be a more accessible approach than directly hacking national institutions. Schools often have weaker security regulations due to budget constraints, making them prime targets. This is a well-known issue in the security industry, where experts frequently remark that “schools are always vulnerable, but nothing is done due to lack of funds.”
Concrete evidence linking Kimsuky to this phishing site has not yet surfaced. Only the threat-hunting tool Validin has classified the domain as associated with Kimsuky. Nonetheless, the suspicion that North Korean hackers might be targeting schools and research institutions for the purposes described above is reasonable.
Hacker Tactics and Security Implications of Targeting Easier Victims
There is a saying among hackers: to achieve their goals, they select easier targets. A comparable example is hackers targeting subcontractors working with major corporations, rather than attacking the heavily secured corporations directly, as the subcontractors handle the same information but have weaker security measures. Therefore, entities handling high-value data, such as schools conducting national research or small and medium-sized enterprises (SMEs) subcontracted by large corporations, need to heighten their security awareness.
In conclusion, Criminal IP Domain Search has classified this phishing site as critical, underscoring the need for heightened security measures across educational and research institutions.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io/)
Related Article(s):