OviWe (Interlab) have been tracking a threat actor we classify as #UCID902. This actor is utilising watering hole credential harvesting attacks to target activists related to the advocacy of human rights in the Korea peninsular.
We first observed UCID902 in 2021 when working with activists based in SK and with lures aimed to appear as Naver security alerts, prompting users to input credentials. We found that typical infrastructure was set up on legitimate web development organisations web servers.
Over the last 2 years, we have seen consistent efforts to target individuals from the human rights and civil society communities.
All events we have tracked, show direct correlations between both infrastructure, capabilities and victimology. All attacks utilise a compromise of a legitimate web development company; all of which are based in Seoul.
In 2022, we identified a very specific infrastructure overlap between UCID902 and a campaign lead by #Kimsuky, involving malicious HWP documents targeting The Ministry of Unification.
For us, this indicated the first socio-political axis of UCID902 within our data, by closely overlapping with motivations by known threat groups based in NK.
We notified KISA of the compromised web development companies earlier this year and have yet to hear if these companies have been secured. Once we know they have been, we will release IOCs to help defend those at risk.
You can read the full details of our findings here:
https://interlab.or.kr/archives/18979
https://interlab.or.kr/archives/18979