South Korea's primary intelligence agency is claiming that China-based hackers stole confidential material from the country's diplomatic and security services throughout the past year. If the new report by the National Intelligence Service [2] is correct, hackers inside the People's Republic of China gained access--via malware--to personal computers and PDAs belonging to much of South Korea's power structure.

The booty? Sweet, sweet defense documents.

It also appears South Korea was well-aware that bureaucrats and government officials were falling for Chinese malware. According to Kang Min-Seok and Lee Ka-Young of the the right-wing JoongAng Ilbo newspaper --who publish an English edition in conjunction with the International Herald Tribune--numerous government memos [3] were sent out in 2010 urging caution against potential malware hackers.

Emails were sent from legitimate-looking addresses at two popular South Korean portals, Naver [4] and Daum [5]. The accounts feigned legitimacy by using the names of actual mid-level and high-level Korean bureaucrats at both the Ministry of Foreign Affairs and Trade and the Korean Blue House [6].

Whoever the hackers were, they seemed to have been targeting bureaucrats involved in South Korea's relations with the North. The three subject headings used for the malware emails were “2010 Korean Peninsula affairs outlook,” “Itinerary of Kim Jong-Il's trip to China” and “Briefing on Pritchard's North Korea visit.” “Pritchard” appears to be Charles “Jack” Pritchard [7], former director of Asian affairs for the Clinton administration and the Bush administration's North Korean envoy [8]. Pritchard's last publicly announced visit to North Korea was in November 2009 [9].

Once users opened the emails, they found legitimate-appearing document attachments that were actualy executable files. Upon being opened, they installed malware that copied documents from the user's computer or PDA to an undisclosed address. According to one of the National Intelligence Service warnings, “when the attached documents are opened, hacking programs will infect the computer and all the stored data will be stolen.”

As in so many cases, a cleverly-hidden executable file turned out to be hacker gold.

South Korean investigators obtained the IP addresses used to access the Naver and Daum email addresses used in the scam. The IP addresses in question all originated in the People's Republic of China.

Although the exact scale of the Chinese hacker attack is unknown, it appears that they did lift some interesting documents from their Korean targets. Song Young-Sun, a parliamentarian belonging to the minority Future Hope Alliance, claims that Defense Ministry reports indicate “1763 confidential pieces of information” were “stolen by hackers.” Another parliamentarian, Lee Jung-Hyun, claims that the Chinese hackers included an analysis of a Samsung SDS [10] report on computer work for the Korean government and, strangely enough, “a Defense Ministry study of the Chinese hackers and their malware virus.”

In an interview with JoongAng Ilbo, Lee claims that he personally obtained the two reports mentioned above from the Chinese hackers. Lee refused to disclose what he meant by that. But he was happy to disclose his talking points: “I am dumbfounded that these reports were leaked to China, floated around on the Internet and maybe went to North Korea,” Lee said [...] It shows how vulnerable the government’s security systems were.”

South Korea has had troubled relations with Chinese and North Korean hackers of both the unofficial and government-sanctioned varieties. A massive cyberattack [11] on South Korean and American government domains in July 2009 stole reams of data and paralyzed high-level government websites. The South Korean government alleges that a secret North Korean military “hacker corps” [12] called Unit 110 was behind that attack. Following the July 2009 incident, the South Korean government instituted a strict anti-hacking protocol [13]. Chinese hackers are suspected of launching cyberattacks [14] on South Korea in the past, including attacks on the Korean diplomatic apparatus [15].

The take-home lesson from all of this? Government agencies around the world: Please, for the love of God, make sure your employees know the difference between a Word document and an executable file. It'll save you a lot of trouble.