> Attribution Scenarios: Option A: DPRK Operator Embedded in PRC

> Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.

I'm don't follow how needing OCR to read Korean documents points to them being North Korean?

Could also point in the opposite direction of them needing to copy the text for translation.

▲

Thorrez 4 days ago | parent | next [-]

Their shell history shows them using OCR tools. AFAIK it doesn't show them using translation tools.

	▲	RT-Saber 4 days ago \| parent \| next [-]
		Actually KIM was also using Google Translate (discovered through his browsing history)
	▲	jamedjo 4 days ago \| parent \| prev [-]
		Fair, and appears I missed the first part "Use of Korean language". The OCR still tells us more about the target than the actor, but I guess they are suggesting the choice of target itself is the indicator.

▲

RT-Saber 4 days ago | parent | prev [-]

We believe KIM is Chinese but working for both Chinese and North Korean interests/governments, he speaks only very little Korean, he translates Korean websites into simplified Chinese using Google Translate and use OCR to translate Korean documents into Chinese.