A suspected hacking group linked to North Korea has employed advanced AI technologies, including ChatGPT, to create fake military identification cards in an elaborate phishing scheme targeting South Korean military agencies and civil organizations. The Seoul-based cybersecurity firm Genians provided insights into the operation, revealing that the group, known as Kimsuky, sent emails that appeared to solicit reviews of purported “sample” ID designs for civilian employees.
The phishing emails included images crafted using deepfake technologies, designed to closely resemble authentic military IDs, making the attempts to deceive recipients appear credible. Accompanying messages contained links that, once clicked, installed malware capable of exfiltrating sensitive information from the victims’ computers and devices.
Interestingly, Kimsuky appeared to have navigated past safeguards set by AI platforms like ChatGPT. By framing their requests as innocuous mock-up designs rather than actual military ID cards, they successfully leveraged AI tools for their nefarious purposes. Genians noted, “They probably persuaded the AI models by saying they were producing sample designs, not replicating actual military ID cards.”
Complicating matters further, the phishing emails were dispatched from fraudulent web addresses such as “.mli.kr,” which mimicked South Korea’s legitimate defense websites that typically conclude with “.mil.kr.” This tactic was likely intended to bolster the legitimacy of the fraudulent communications.
The incident underscores the increasing sophistication in North Korea’s use of generative AI and deepfake technologies for malicious cyber operations. Earlier this year, US-based AI firm Anthropic disclosed that North Korean hackers had utilized its Claude model to fabricate false résumés, cover letters, and coding samples in attempts to secure employment with overseas IT firms. Once hired, these hackers allegedly exploited their positions to carry out technical work and gather intelligence.
Mun Chong-hyun, the director at Genians, emphasized the alarming trend, stating that hackers can now utilize generative AI at nearly every phase of a cyber attack, from strategic planning to the development of malware and impersonation of recruiters.
The Kimsuky group has been recognized by authorities in both Washington, D.C., and Seoul as a state-sponsored cyber-espionage entity, with the US Department of Homeland Security characterizing it as primarily tasked with a global intelligence-gathering mission on behalf of the North Korean regime. Officials believe that North Korea’s overarching cyber strategy encompasses activities such as phishing, cryptocurrency theft, and covert IT contracting, all aimed at funding its heavily sanctioned nuclear weapons program. The total number of victims affected by this latest phishing campaign has not yet been determined.
