Security researchers have discovered that an ongoing botnet campaign is specifically targeting scientists, academics, engineering firm employees, government employees and members of international non-governmental organisations (NGO).
Forcepoint Security Labs says in its latest report that the Jaku botnet has so far claimed an estimated 19,000 unique victims, 42% of which are located in South Korea, while 31% are located in Japan, 9% in China and 6% in US. The remaining 12% are located in 130 other countries.
IP addresses are controlled within groupings known as routing domains, which are identified by Autonomous System Numbers (ASN). When the researchers looked up the corresponding ASNs, they realised that 14% of the victims were using internet provided by Korea Telecom, followed by 8% by SK Broadband, 8.4% by LG Uplus Corp – all South Korean network providers.
The botnet was also tracking victims who were using internet provided by NTT Communications Corporation, KDDI Corporation and Softbank in Japan.
The malware used only seems to be affecting North Korea's neighbours but not North Korea itself, and since the victims have all used the phrases "North Korea (DPRK)" and "Pyongyang", it seems likely that the malware comes from North Korea. Kaspersky also previously pointed out that at one point, the malware was being hosted on the KCNA North Korean official news website.
"There are indicators that suggest that the author(s) of the malware identified are native Korean speakers," Andy Settle, Forcepoint's head of special investigations told ZDNet.
"Because it is so highly targeted I would suspect that it is not beyond the realms of possibility that each victim had their own unique vector. One may be email, another 'evil maid' [where the attacker has the opportunity to physically access the victim's device], another a watering hole attack and so on."
Forcepoint is warning that more has to be done to stop the Jaku botnet, as it is unlikely to go away, and this will require teamwork from both government agencies and the cybersecurity industry.
"There are thousands of victim computers that are sitting in waiting that can be used unwittingly to perform DDoS attacks, spear-phishing attacks, spam campaigns and other forms of organised crime behaviour," said Settle.
"Finding, tracking and shutting down attack modes and methodologies with such capabilities can be a formidable task. No single organisation can do it alone. It requires the close collaboration and intelligence-sharing activities of both private organisations and government agencies – and Forcepoint has engaged with NCA, CERT-UK, Europol and Interpol on this investigation."