How a North Korean cyber group impersonated a Washington D.C. analyst

WASHINGTON, D.C. — Six years ago, a well-respected researcher was working late into the night when she stepped away from her computer to brush her teeth. By the time she came back, her computer had been hacked.

Jenny Town is a leading expert on North Korea at the Stimson Institute and the director of Stimson’s 38 North Program. Her work is built on on open-source intelligence, Town said on Monday. She uses publicly available data points to paint a picture of North Korean dynamics.

“I don’t have any clearance. I don’t have any access to classified information,” Town said at the conference.

But the hackers, a unit of North Korea’s intelligence services codenamed APT43, or KimSuky, were not only after classified information.

The hackers used a popular remote-desktop tool TeamViewer to access her machine and ran scripts to comb through her computer. Then her webcam light turned on, presumably to check if she had returned to her computer. “Then it went off real quickly, and then they closed everything down,” Town told attendees at the mWISE conference, run by Google-owned cybersecurity company Mandiant.

Town and Mandiant now presume the North Koreans had been able to exfiltrate information about Town’s colleagues, her field of study, and her contact list. They used that information to create a digital doppelganger of Town: A North Korean sock puppet that they could use to gather intelligence from thousands of miles away.

In D.C., every embassy has an intelligence purpose, Town explained. People attached to the embassy will try to take the pulse of the city to gauge what policy might be in the pipeline or how policymakers felt about a particular country or event.

But North Korea has never had diplomatic relations with the U.S. Its intelligence officers can’t stalk public events or network with think tanks.

The country could fill that void by obtaining intelligence through hacking into government systems, a challenging task even for sophisticated actors. But APT 43 targets high-profile personalities and uses them to collect intelligence.

Within weeks, the fake Town began to reach out to prominent researchers and analysts pretending to be her.

“It’s a lot of social engineering. It’s a lot of sending fake emails, pretending to be me, pretending to be my staff, pretending to be reporters,” Town said.

“They’re literally just trying to get information or trying to establish a relationship in the process where eventually they may impose malware, but it’s usually just a conversation-building device,” Town said.

The group behind Town’s clone has been tied to cryptocurrency laundering operations and influence campaigns, and has targeted other academics and researchers.

The tactic still works, although widening awareness has made it less effective than before. The most susceptible victims are older, less-tech-savvy academics who don’t scrutinize domains or emails for typos.

Adding to the complexity, when the real people reach out to potential victims to try to warn them they’ve been talking with a North Korean doppelganger, the targets often refuse to believe them.

“I have a colleague who I had informed that he was not talking to a real person,” Town said.

But her colleague didn’t believe her, Town said, and decided to ask the doppelganger if he was a North Korean spy. “So of course, the fake person was like, ‘Yes, of course, it’s me,'” Town said at the conference.

Ultimately, her colleague heeded her warnings and contacted the person he thought he was corresponding with another way. The North Korean doppelganger, in the meantime, had decided to break off contact and in a bizarre turn of events, apologized for any confusion and blamed it on “Nk hackers.”

“I love it,” joked Mandiant North Korea analyst Michael Barnhart. “North Korea apologizing for them pretending to be somebody.”