[jamedjo]

> Attribution Scenarios: Option A: DPRK Operator Embedded in PRC

> Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.

I'm don't follow how needing OCR to read Korean documents points to them being North Korean?

Could also point in the opposite direction of them needing to copy the text for translation.

[Thorrez]

Their shell history shows them using OCR tools. AFAIK it doesn't show them using translation tools.

[RT-Saber]

Actually KIM was also using Google Translate (discovered through his browsing history)

[jamedjo]

Fair, and appears I missed the first part "Use of Korean language".

The OCR still tells us more about the target than the actor, but I guess they are suggesting the choice of target itself is the indicator.

[RT-Saber]

We believe KIM is Chinese but working for both Chinese and North Korean interests/governments, he speaks only very little Korean, he translates Korean websites into simplified Chinese using Google Translate and use OCR to translate Korean documents into Chinese.