skip to Main Content

Honeybee, a cyber operation that targeted humanitarian aid organizations in Korean Peninsula

Honeybee, A Cyber Operation That Targeted Humanitarian Aid Organizations In Korean Peninsula

The operation Honeybee is a cyber malicious campaign against humanitarian aid organizations in Korean Peninsula

It’s called operation Honeybee and is a cyber malicious campaign that targeted humanitarian aid organizations. It has been discovered by cybersecurity experts of McAfee. The lure are North Korean political topics and the vector of attacks fake Microsoft Word documents. Moreover, these documents, “authored by the same actor that indicate a tactical shift, do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them”, McAfee Blog stated. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17. On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam 2 days later with the original author name of Honeybee. More documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name.

The hacker behind the cyber attacks is likely a Korean speaker. He targeted not only South Korea, but abroad too

McAfee has identified “snoopykiller@mail.ru” tied to Honeybee operation. The actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in cybersecurity experts analysis. Based on different elements, the author of the cyber attacks is likely a Korean speaker and he targeted those involved in humanitarian aid and inter-Korean affairs. But his operations expanded beyond Korea Peninsula borders, arriving in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. His malicious code is based on previous versions of the SYSCON backdoor. Some new droppers have not been observed before in the wild and the MaoCheng dropper was apparently created specifically for this operation (appeared just twice in the wild).

The McAfee integral analysis on Honeybee

 

 

 

Back To Top