Home Cyber Attack North Korean Hackers Use Thailand Server To Carry Out Global Cyber Attacks

North Korean Hackers Use Thailand Server To Carry Out Global Cyber Attacks

by Unallocated Author

A group of hackers with links to the North Korean government made use of servers in Thailand and carried out extensive cyber-attack espionage and malware attacks as well.

Earlier this week, McAfee the cyber-security firm released new details on a global hacking campaign that was dubbed as Operation GhostSecret.

Researchers claim that the purpose of this investigation was to steal important information from critical infrastructures, finance, health care, telecommunication as well as entertainment organizations from all around the globe.

McAfee wrote in a post saying, “The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators.” 

It added saying that the group responsible is the same group that carried out a large scale attack on Turkish banks last month. It even claims that there are many similarities between the attack and those used on Sony Pictures in 2014.

The tools used in the attacks were the same as the ones used by Hidden Cobra. United States claim that Hidden Cobra are state sponsored hackers from North Korea. Apart from being named as the hacking group that carried out an attack on Sony Pictures, Hidden Cobra has also been blamed and though to have carried out the WannaCry malware attack that led to multiple computers and networks to get crippled all around the world last May.

According to McAfee, one of the servers was located at Thammasat University in Bangkok. McAfee claimed in a report saying, “This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate.”

“Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.”

You may also like