skip to Main Content

Cyber Espionage, Kimsuky North Korea’s hackers exposed

Kimsuky North Korea’s hackers TTPs have been exposed by US CISA, FBI, and CNMF in a report. Here there are the key fingings

Kimsuky North Korea’s cyber espionage group’s TTPs have been unveiled. US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a report on the tactics, techniques, and procedures used by the APT against worldwide targets, to gain intelligence on various topics of interest to Pyongyang. The key findings are:

  • Kimsuky APT group has most likely been operating since 2012.
  • The group is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • It employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
  • It is most likely to use spearphishing to gain initial access into victim hosts or networks.
  • The malicious hackers conduct their intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.

The cybersecurity experts: The cyber espionage APT specifically targets individuals identified as experts in various fields, think tanks, and South Korean government entities

According the cybersecurity experts, Kimsuky specifically targets individuals identified as experts in various fields, think tanks, and South Korean government entities. CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training

Pyongyang malicious hackers use various spearphishing and social engineering methods to obtain Initial Access to victim networks

North Korean hackers use various spearphishing and social engineering methods to obtain Initial Access to victim networks. Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic. The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. It likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail. Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.

Fake interviews to build trust of the victims

Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula. After a recipient agreed, the North Korean hackers sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.

Spearphishing and social engineering approaches use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews. After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution

Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews. Other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link, Drive-by Compromise, Man-in-the-Browser). After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution. North Korean APT has demonstrated the ability to establish Persistence in cyber espionage operations through malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.

Back To Top