The Asan Institute for Policy Studies

The Asan Institute for Policy Studies, a South Korean national security think tank, was the target of a sophisticated cyber espionage campaign on January 1, 2017. The attack was attributed to the North Korea-linked Lazarus APT group, which exploited an ActiveX zero-day vulnerability present on the institute's official website. This method of initial compromise was specifically chosen to target environments common within South Korean government and affiliated sectors, where ActiveX support in Internet Explorer remained prevalent due to historical regulatory requirements. Upon successful exploitation, the attackers deployed reconnaissance scripts designed to profile potential victims by gathering detailed information about their browser configurations and operating systems. This profiling allowed the threat actors to selectively target individuals of interest, likely researchers or staff associated with national security policy analysis, by confirming their use of vulnerable, ActiveX-enabled systems.

The final stage of the attack involved the delivery of the Akdoor backdoor malware through malicious ActiveX controls hosted on compromised domains previously linked to Lazarus infrastructure. This malware established persistent command and control communication, enabling remote execution of commands via the Windows Command Prompt. The technical tradecraft, including the specific use of profiling scripts and the reuse of filenames and command-and-control servers associated with Lazarus's historical financial theft operations, demonstrated a consistent and evolving operational methodology. The incident underscores the institute's role as a high-value target for state-sponsored intelligence gathering due to its policy research focus on South Korean national security, inter-Korean relations, and regional strategic issues. As a recognized center for policy studies in Seoul, its work likely provides strategic insights that make it a compelling objective for foreign intelligence services seeking to monitor South Korean policy developments and governmental planning. The attack highlighted the persistent threat posed by advanced persistent threat groups leveraging region-specific technical vulnerabilities to penetrate organizations involved in critical policy analysis.