The Phantom Syndicate: a hacking collective with a North Korean allegiance

Friday 4 October 12:00 - 12:30, Red room

Olivia Lee (S2W)

In December 2023, South Korea was shaken by an alarming incident that serves as a potential harbinger of global cybersecurity threats. Dubbed the 'North Korean Propaganda Distribution Campaign', this event was orchestrated by the notorious hacking group Skidsec. Their goal was to disseminate propaganda featuring North Korean leader Kim Jong-un through printers across South Korea within a timespan of 24 hours.

Skidsec meticulously identified a vulnerability in the IPP (Internet Printing Protocol) authentication system of a South Korean printer manufacturer, sharing a method to access 3,439 printers. As a result, printers across the nation began spewing out North Korean propaganda materials. Capitalizing on this, Skidsec released a list of 1,381 accessible printers, threatening further attacks. In their second campaign, the attackers escalated tensions by including the message 'The Great Leader Kim Il-sung will always be with us' and distributing a custom script called 'PrinterGun', enabling anyone to easily spread such propaganda.

While this incident took place in South Korea, its implications are far-reaching and should be taken seriously on a global scale. Skidsec's actions are not merely a regional issue; they highlight a vulnerability that any nation could face. Today, devices like printers and other IoT (Internet of Things) devices are ubiquitous in homes and businesses worldwide. As Skidsec demonstrated, these devices can be exploited through their vulnerabilities, making them easy targets for malicious attacks. Although South Korea was the initial target, tomorrow, any device in any country could be used as a tool to further ideological agendas.

Skidsec's actions serve as a stark warning of how ideology-driven attacks can leverage technology to spread globally. Not just printers, but also smart home devices, medical equipment, and even transportation systems – all connected to the internet – can become potential targets. This situation illustrates how political issues within a single country can escalate and have a global impact. Moreover, this technology-driven spread of ideology transcends physical borders, evolving into a cyber threat that can strike anytime, anywhere.

The S2W Threat Intelligence Center is thoroughly analysing Skidsec's motives and the global cybersecurity implications of their actions. We are investigating whether this group is genuinely operating under North Korean directives, what benefits they seek from these campaigns, and the origins of their pro-North Korean stance. We aim to share our analysis of their ultimate goals and the potential financial gains they could achieve through these operations. We will present our findings on Skidsec's objectives and how their political goals could be furthered through cyberspace.

Back to VB2024 Programme page

Back to VB2024 conference page

Register for VB2024

Other VB2024 papers