Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

North Korean threat actor Kimsuky continues to evolve despite sanctions

New research from Rapid7 paints a picture of a fast-moving, versatile, and highly skilled hacking group.

user icon David Hollingworth
Thu, 18 Jul 2024
North Korean threat actor Kimsuky continues to evolve despite sanctions
expand image

Researchers at Rapid7 have been continuing to track and monitor the state-backed North Korean hacking group, and its latest observations reveal a threat actor capable of operating both at speed and at scale.

The group has been observed still making widespread use of malicious .LNK files and Compiled HTML Help files in several formats – and all mostly delivered via email and phishing techniques – but one of the things that has changed is Kimsuky’s targeting.

Historically, the threat actor has focused on government and research entities, as well as think tanks, focused on North Korean interests – typically leading to many North Korean organisations ending up in Kimsuky’s crosshairs. But that’s changed; Rapid7 has observed the threat actor targeting entities in Japan, the United States, and Europe.

============
============

Kimsuky uses a range of lures to target both work and private emails of its targets, ranging from topics such as nuclear strategy (an old favourite), corporate promotional material, and foreign embassies to job descriptions and Happy New Year messages. Kimsuky’s operations are focused largely on credential theft to drive further hacking operations and mailbox access to steal sensitive data.

The threat actor’s activity is aided by infrastructure spread all over the globe, as well as some highly advanced malware tools. This begs the question – how advanced is Kimsuky’s developer pool?

“Kimsuky has a dedicated team of developers that help facilitate tools and techniques to obtain initial access and provide reconnaissance,” Matt Green, principal threat analyst at Rapid7 and co-author of the research, told Cyber Daily.

“But the pace of this development is not the major concern; the larger concern is the velocity of activity and the relentless social engineering with their approach.”

Kimsuky is, however, just one part of the North Korean threat landscape.

“There has been significant national-level attribution that Kimsuky is part of North Korea’s Reconnaissance General Bureau (RGB), and Rapid7 doesn’t have any conflicting assessments,” Green said.

“The RGB is the organisation that covers DPRK intelligence and clandestine operations, so Kimsuky likely collaborates with other groups that are part of or aligned to the RGB.”

And despite sanctions being levelled at the group in 2023 by the US Department of the Treasury, backed by Australia, Japan, and the Republic of Korea, the threat actor’s activity is difficult to curtail.

“The reality is that sanctions are sometimes effective, but most often they are not,” Green said.

“It’s difficult to accurately predict when they will work, since financial and individual sanctions, if targeted, have some limited utility. Ultimately, however, sanctions have been less effective against autocratic regimes.”

You can read the full research paper here.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.