Catching DPRK with Korean Linguistic Traits
Contents
🇰🇵Catching DPRK with Korean Linguistic Traits🇰🇵
Recently I have been approached by a few people on how to identify and attribute malware to DPRK. Everyone of us in the CTI field knows how difficult attribution is, and while I cant provide you with something like: "Because the bad guys used this Korean word they must be from the North!!11" I want to highlight some Opsec mistakes DPRK hackers often make when it comes to the Korean language. This is by no means a complete list, but I hope it helps some non-Korean researchers.
Buckle up for your not-so-normal-Korean-CTI-Excursion 🧵
#CTI #Malware #DPRK
#1 미안하다 vs 죄송하다 (Dictionary Definition: To be Sorry)
Reference: https://x.com/cyberwar_15/status/1481430358629707776…, https://x.com/cyberwar_15/status/1478558699618979844…
미안하다(mianhada) and 죄송하다(joisonghada) both mean “to be sorry”. However, in a formal context South Koreans never use the word 미안하다. 죄송하다 is always used. The above picture’s sentence translates to:
I'm sorry, but the file you requested has an error due to …
Recently I have been approached by a few people on how to identify and attribute malware to DPRK. Everyone of us in the CTI field knows how difficult attribution is, and while I cant provide you with something like: "Because the bad guys used this Korean word they must be from the North!!11" I want to highlight some Opsec mistakes DPRK hackers often make when it comes to the Korean language. This is by no means a complete list, but I hope it helps some non-Korean researchers.
Buckle up for your not-so-normal-Korean-CTI-Excursion 🧵
#CTI #Malware #DPRK
#1 미안하다 vs 죄송하다 (Dictionary Definition: To be Sorry)
Reference: https://x.com/cyberwar_15/status/1481430358629707776…, https://x.com/cyberwar_15/status/1478558699618979844…
미안하다(mianhada) and 죄송하다(joisonghada) both mean “to be sorry”. However, in a formal context South Koreans never use the word 미안하다. 죄송하다 is always used. The above picture’s sentence translates to:
I'm sorry, but the file you requested has an error due to …