Sizing Up Activities of North Korea's Kimsuky APT GroupAlert From CISA, FBI Describes Espionage Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have issued an alert providing details on the activities of a North Korean hacking group dubbed Kimsuky.
The advanced persistent threat group, which has primarily focused on South Korean targets, has also conducted espionage campaigns against targets in the U.S. and Japan, according to a joint alert that included input from U.S. Cyber Command.
The alert notes that Kimsuky frequently targets businesses, think tanks, government agencies and individuals.
Kimsuky, which has been active since 2012, deploys spear-phishing campaigns and watering-hole attacks. The group appears to have ties to another North Korean hacking group called Hidden Cobra, which is also referred to as the Lazarus Group (see: US Agencies Warn of Uptick in North Korean Bank Heists).
"This actor has been active for some time now and doesn’t show any sign of letting up as they are showing constant activity," Brian Bartholomew, a principal security researcher with Kaspersky who has studied Kimsuky, tells Information Security Media Group. "They traditionally target South Korean entities, but sometimes go outside that box, targeting other government entities in the EU and U.S."
The joint alert notes that Kimsuky primarily collects intelligence concerning foreign policy and national security issues related to the Korean peninsula as well as nuclear policy and sanction proposals that affect North Korea.
The report notes that Kimsuky hackers deploy several spear-phishing techniques to harvest credentials and other data from potential victims. It uses stolen web hosting usernames and passwords to inject malicious scripts into websites or to create spoofed versions of Google Gmail or Yahoo email domains.
Kimsuky also deploys social engineering techniques. In some cases, hackers pose as reporters and ask to interview potential victims over Skype about issues related to North Korean or South Korean politics and other issues, according to the joint alert.
"After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body," according to the alert.
The alert also notes that Kimsuky deploys malware dubbed BabyShark, which was used against a U.S. think tank, according to previous reports (see: Cyber Espionage Campaign Uses Spoofed Websites).
BabyShark is Visual Basic Script-based malware that was first uncovered by researchers in 2019. In a previous report, analysts with Palo Alto Network's Unit 42 described how the BabyShark malware exfiltrates data from infected systems and transfers the information to a command-and-control server. That report also described similarities between BabyShark and another malware variant tied to North Korean hackers called KimJongRAT.
Once installed within a compromised device, BabyShark enables allows hackers to maintain persistence within a network while awaiting further instructions from its operators, according to Unit 42.
Kurt Baumgartner, a principal security researcher at Kaspersky, notes that most of the APT group’s techniques and tools are not as advanced as those used by other nation-state threat groups.
"They have modified their malware set and continue to be highly active," Baumgartner tells ISMG. "When compared to groups like [Iranian-linked] Muddywater, which has made large advances in technical capabilities over the past several years, this group has not advanced by leaps and bounds. However, they deliver capabilities that are adequate."
Managing Editor Scott Ferguson contributed to this report.