North Korean hackers weaponise Google, KakaoTalk in first-of-its-kind cyberattack targeting South Koreans

SEOUL, Nov 10 — North Korean state-sponsored hackers have hijacked Google accounts to take remote control of smartphones and tablets belonging to South Koreans, later using the KakaoTalk messenger app to spread malware to their contacts, The Korea Herald reported today.

According to South Korean cybersecurity firm Genians, the incident marks “the first confirmed case of a North Korean state-sponsored hacking group compromising Google accounts to gain remote control over smart devices.” 

The attack was attributed to North Korea’s Konni advanced persistent threat (APT) cyber espionage group, long suspected of targeting South Korean individuals and institutions.

Genians said the hackers initially infiltrated victims’ devices through spear-phishing emails impersonating South Korea’s National Tax Service. 

Once inside, the group gathered data and conducted internal reconnaissance before exploiting Google’s Find Hub service — a legitimate tool used to locate and secure lost Android devices — to execute data-wiping and tracking operations.

“This development demonstrates a realistic risk that the feature can be abused within advanced persistent threat (APT) campaigns,” the report stated.

The hackers allegedly abused Find Hub’s remote-control functions to track locations and perform factory resets on victims’ devices. 

This neutralised phones and tablets, disrupted normal recovery, and blocked KakaoTalk notifications — delaying detection of the breach.

After wiping victims’ Android devices, the hackers gained access to their KakaoTalk PC accounts, which they then used to send malicious files to contacts. 

Genians described it as “a typical social-engineering attack that leveraged trust-based communications to precisely exploit the target’s psychological and social context.”

One notable victim was a counsellor who provides psychological support to North Korean defector students. The attackers used the counsellor’s compromised KakaoTalk account to send a malicious file disguised as a “stress-relief programme,” infecting recipients’ devices when opened.

On September 15, a similar mass malware distribution was detected through another compromised KakaoTalk account.

“This combination of device neutralisation and account-based propagation is unprecedented among previously known state-sponsored APT scenarios,” Genians said, adding that it “demonstrates the attacker’s tactical maturity and advanced evasion strategy, marking a key inflection point in the evolution of APT tactics.”

The report highlighted a growing sophistication in North Korea’s cyber-espionage operations — one that weaponises legitimate digital tools and trusted social networks in ways that may be harder to detect or contain, The Korea Herald noted.