Cyber Incident Victim: The Asan Institute for Policy Studies
Date:
Jan 2017
Location:
South Korea
Summary
A North Korea-linked threat actor, Lazarus APT, exploited an ActiveX zero-day vulnerability on a South Korean national security think tank's website. The attackers deployed reconnaissance scripts to profile targets by identifying browser and OS configurations, specifically checking for ActiveX-enabled Internet Explorer systems common in South Korean government-mandated environments. Malicious ActiveX controls delivered the Akdoor backdoor malware via compromised domains previously associated with Lazarus infrastructure, using filenames and C&C servers tied to historical operations including financial heists. The malware executed commands via Command Prompt while leveraging profiling techniques consistent with the group's tradecraft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early 2017, the Lazarus Advanced Persistent Threat (APT) group, linked to North Korea, initiated a cyberattack targeting the website of a South Korean national security-focused think tank, identified by researchers as the Asan Institute for Policy Studies. The attackers deployed reconnaissance scripts in January 2017, leveraging modified PinLady’s Plugin-Detect code to profile victims’ systems, specifically checking for Internet Explorer usage, ActiveX enablement, and the presence of targeted ActiveX components. This reconnaissance phase aligned with Lazarus’s established tactics of gathering intelligence before deploying exploits. By late April 2018, the group escalated the attack by injecting a malicious ActiveX zero-day exploit into the think tank’s website. The exploit leveraged South Korea’s government-mandated reliance on ActiveX controls, which remained enabled on most systems in the country despite broader global disuse. Upon successful exploitation, the script downloaded malware from the compromised peaceind.co.kr domain, saving it as splwow32.exe—a filename previously associated with Lazarus-linked operations, including the 2016 Taiwan bank heist. The payload connected to a command-and-control (C&C) server historically linked to Lazarus malware campaigns as early as 2015.
The attack delivered Akdoor, a backdoor malware designed to execute arbitrary commands via Command Prompt, enabling persistent remote access to compromised systems. Researchers at AlienVault and cybersecurity expert Simon Choi confirmed the Lazarus group’s involvement through technical overlaps, including the reuse of infrastructure and malware signatures tied to prior operations. The profiling scripts’ data exfiltration mechanism mirrored Lazarus’s known attack patterns, while the peaceind.co.kr domain’s preexisting vulnerabilities facilitated the malware delivery. The incident exposed sensitive systems at a policy organization central to South Korean national security discussions, though specific data breaches or operational disruptions were not detailed in public analyses. AlienVault published indicators of compromise (IoCs), including C&C URLs and malware hashes, to aid detection. Choi publicly shared samples of the reconnaissance scripts and ActiveX exploit via Twitter, highlighting the attack’s timeline and technical execution. No mitigation actions by the Asan Institute itself were described in the available reporting.