27개_피싱_사이트_이메일_계정_해킹_사건_중간조사_결과_1.pdf (663 KB)

South Korean prosecutors reported a spear-phishing operation assessed as likely run by a North Korean hacking organization between January and June 2016. The attackers created 27 phishing sites impersonating Google, Naver, Daum, Microsoft, QQ, government ministries, defense firms, and universities, then targeted about 90 people tied to diplomacy, unification, defense, North Korea research, journalism, and defense industry work. Investigators confirmed 56 account passwords were exposed after victims were lured by security-notice emails into entering credentials on fake password-change pages. The infrastructure and methods overlapped with the Korea Hydro and Nuclear Power case, including the same hosting provider, matching phishing web source code, IP-named credential files collected by FTP, and Shenyang IP space previously linked to Kimsuky-family malware. The case matters because it shows credential theft against Korea-focused government, research, and defense targets using reusable phishing infrastructure and operational patterns.