Google declined to comment on who might be responsible for the attacks, but Russian security firm Kaspersky tells WIRED it has linked Google's findings with DarkHotel, a group that has targeted North Koreans in the past and is suspected of working on behalf of the South Korean government.South Koreans spying on a northern adversary that frequently threatens to launch missiles across the border is not unexpected. But the country's ability to use five zero days in a single spy campaign within a year represents a surprising level of sophistication and resources. "Finding this many zero-day exploits from the same actor in a relatively short time frame is rare," writes Google TAG researcher Toni Gidwani in the company's blog post. "The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues," In a followup email, Google clarified that a subset of the victims were not merely from North Korea, but in the country, suggesting that these targets weren't North Korean defectors, whom the North Korean regime frequently targets.
Within hours of Google linking the zero-day vulnerabilities to attacks targeting North Koreans, Kaspersky was able to match two of the vulnerabilities—one in Windows, one in Internet Explorer—with those it has specifically tied to DarkHotel. The security firm had previously seen those bugs exploited to plant known DarkHotel malware on their customers' computers. (Those DarkHotel-linked attacks occurred before Microsoft patched its flaws, Kaspersky says, suggesting that DarkHotel wasn't merely reusing another group's vulnerabilities.) Since Google attributed all five zero-days to a single hacker group, "it’s quite likely that all of them are related to DarkHotel," says Costin Raiu, the head of Kaspersky's Global Research & Analysis Team.
Raiu points out that DarkHotel has a long history of hacking North Korean and Chinese victims, with a focus on espionage. "They're interested in getting information such as documents, emails, pretty much any bit of data they can from these targets," he says. Raiu declined to speculate on what country's government might be behind the group. But DarkHotel is widely suspected of working on behalf of the South Korean government, and the Council on Foreign Relations names DarkHotel's suspected state sponsor as the Republic of Korea.DarkHotel's hackers are believed to have been active since at least 2007, but Kaspersky gave the group its name in 2014 when it discovered that the group was compromising hotel Wi-Fi networks to carry out highly targeted attacks against specific hotel guests based on their room numbers. In just the last three years, Raiu says Kaspersky has found DarkHotel using three zero-day vulnerabilities beyond the five now linked to the group based on Google's blog post. "They're probably one of the actors that’s the most resourceful in the world when it comes to deploying zero days," Raiu says. "They seem to be doing all this stuff in-house, not using code from other sources. It says a lot about their technical skills. They're very good."