북한발사칭메일수사결과.hwp (468 KB)

South Korean police attributed a malicious email operation against foreign affairs, security, defense, and unification personnel to North Korean infrastructure after tracing activity through overseas relay servers back to an IP range in Ryugyong-dong, Pyongyang. The emails impersonated North Korea-related academic groups and used Hangul attachments such as “Concerned Republic of Korea” and “Analysis of North Korea’s 2017 New Year Address” that could steal information and download and execute additional malware. Investigators connected the activity to a broader 2016 campaign in which 58 impersonation accounts sent malicious or phishing emails to 785 people in government, research, and education organizations, while 69 domestic and overseas relay servers were identified. The case matters for DPRK-focused tracking because it shows sustained credential theft and document-stealing operations using topical North Korea issues, trusted institutional impersonation, and relay infrastructure to target South Korean policy and defense communities.