US and South Korea join forces to smash 'Kimsuky' hackers

A notorious North Korean hacker group, "Kimsuky," has been officially sanctioned by South Korea to attempt to stop its phishing cyberattacks.
Christopher McFadden
US and South Korean flags
The US and South Korea to combat cybercrime

Oleksii Liskonih/iStock  

A North Korean hacking group called "Kimsuky" has been officially sanctioned by South Korean authorities (the first country in the world to do so). Accused of stealing secret technologies and other sensitive information, the group uses various social engineering strategies to trick people into revealing information passed on to the North Korean government.

“It [Kimsuky] has collected intelligence from individuals and institutions in diplomacy, security, and national defense and has provided it to the North Korean regime,” said the South Korean Foreign Ministry in a statement Friday. “In addition, North Korean hacking organizations, including ‘Kimsuky,’ have been directly or indirectly involved in developing North Korea’s so-called ‘satellite’ by stealing advanced technologies globally related to weapons development, artificial satellites, and space," they added.

A joint advisory released by the United States and South Korea has revealed that the group carries out "large-scale" cyber attacks on think tanks, academic institutions, and news outlets. According to Seoul's foreign ministry, the hackers are notorious for spearphishing campaigns wherein they impersonate legitimate journalists, academics, or individuals with credible connections to North Korean policy circles.

This advisory was partially released due to North Korea's failed attempt to launch a surveillance satellite earlier this week. Large parts of the technology used were believed to be stolen as part of North Korean digital espionage from groups like "Kimsuky."

“These North Korean cyber actors are known to conduct spear phishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles,” reads the advisory report. “The [Democratic People’s Republic of Korea] employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets,” it added. According to the joint advisory, "Kimsuky" refers to a group of cyber actors in North Korea under the administrative control of a unit within the Reconnaissance General Bureau (RGB). The group has “conducted broad cyber campaigns in support of RGB objectives since at least 2012," it said.

Kimsuky's modus operandi – impersonate journalists

“Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime,” it added. The North Korean hacker's modus operandi is to impersonate a journalist, an academic scholar, or a think tank researcher to send out an email requesting an interview or participation in a survey. “A Kimsuky actor will use multiple personas to engage a target; one persona to conduct initial outreach and a second persona to follow-up on the first engagement to distract a potential victim from discerning the identity of the original persona,” reads the joint cybersecurity advisory.

“Once DPRK cyber actors establish engagement with a target, the actors attempt to compromise the account, device, or network belonging to the target by pushing malicious content in the form of a malicious macro embedded within a text document,” it said. “This document is either attached directly to the email or stored in a file hosting service, such as Google Drive or Microsoft OneDrive. When enabled, These malicious macros quietly establish connections with Kimsuky command and control infrastructure and provide access to the target’s device,” the report continued.

"Kimsuky" has allegedly been behind several large-scale cyberattacks in South Korea in recent years, including the theft of the personal data of 830,000 people at the Seoul National University Hospital in 2021. They were also implicated in a cyberattack on South Korea’s state-backed Korea Hydro & Nuclear Power, a subsidiary of the Korea Electric Power Corporation, in 2014.

Add Interesting Engineering to your Google News feed.
Add Interesting Engineering to your Google News feed.
message circleSHOW COMMENT (1)chevron
Job Board