A lot of South Korean organizations use AhnLab security products and because the targets are almost exclusively from South Korea, the attackers don't even bother trying to evade security products from other vendors, Tarakanov said.
Taking into account the profiles of the targeted organizations, one could easily suspect that the attackers might be from North Korea, the researcher said. "The targets almost perfectly fall into their sphere of interest."
One piece of evidence that supports this theory has to do with the geographic location of the Internet Protocol (IP) addresses used by the attackers.
"During our analysis, we observed ten IP addresses used by the Kimsuky operators," Tarakanov said. "All of them lie in ranges of the Jilin Province Network and Liaoning Province Network, in China."
"Interestingly, the ISPs providing Internet access in these provinces are also believed to maintain lines into North Korea," the researcher said, adding that no other IP addresses have been discovered that would put the attackers' activity in other IP ranges.
South Korea is frequently attributing cyberattacks against organizations and institutions in the country to North Korean hackers. However, with most cyberattacks in general, establishing the location of attackers with a high degree of certainty is not possible.
Sign up for CIO Asia eNewsletters.