The Threat of Kimsuky: North Korea’s Cyber Warfare Arm

In the complex world of cyber warfare, one name stands out for its persistent and sophisticated attacks: Kimsuky.

This North Korean state-backed hacker group has become a formidable force in the landscape of international cybersecurity.

As we increasingly rely on digital platforms for everything from government operations to corporate strategies, understanding the threat posed by groups like Kimsuky is more important than ever.

In this blog post, we will delve into the clandestine operations of Kimsuky, unveiling the tactics, techniques, and procedures that have earned it the label of an Advanced Persistent Threat (APT).

We aim to shed light on how this group, operating from the shadows, has managed to infiltrate some of the most secure systems around the globe, and what it means for our collective digital security.

Who is Kimsuky?

Kimsuky, also known as Velvet Chollima and Black Banshee, is a cyber espionage group thought to originate from North Korea.

This group has been active since at least 2012 and is associated with a series of cyber-attacks targeting government entities and research institutions, primarily in South Korea.

Kimsuky has shown a particular interest in foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.

It’s believed that the group’s activities serve the strategic interests of North Korea, gathering intelligence and stealing information that aids in decision-making and policy formulation.

Motivation

The motivation behind Kimsuky’s operations appears to be twofold: intelligence gathering and disruption. Given their focus on sensitive sectors, it’s clear that this group seeks to obtain classified information that could potentially benefit North Korea’s strategic interests.

Their disruptive activities, on the other hand, seem designed to create chaos, confusion, and fear. These actions, often involving data destruction or manipulation, serve to further North Korea’s geopolitical goals by destabilizing perceived enemies or rivals.

Modus Operandi

Kimsuky employs a variety of methods to carry out its cyber-attacks. These include spear-phishing, social engineering, and watering hole attacks.

The group often impersonates journalists, government officials, or other professionals to lure victims into opening malicious emails or visiting infected websites.

Over the years, Kimsuky has evolved and adapted its techniques, becoming more sophisticated in its approach.

The group has been known to use custom malware families like BabyShark and AppleSeed in their operations.

They’ve also demonstrated capabilities to exploit zero-day vulnerabilities, making them a formidable threat in the cyberspace.

Once inside a network, Kimsuky typically uses custom malware tools to steal sensitive information. These tools have evolved over time, showcasing the group’s adaptability and sophistication in bypassing security measures.

Targets and Impact

While South Korea has been a primary target, Kimsuky’s operations have expanded globally over the years.

The group has reportedly targeted organizations in the United States, Japan, and Europe. Its focus has largely been on gathering intelligence related to foreign policy, national security, and nuclear power.

The impact of Kimsuky’s activities is substantial. The group’s operations can compromise national security, disrupt critical infrastructure, and potentially sway geopolitical dynamics.

Countermeasures and Mitigation

Cybersecurity firms and international law enforcement agencies have made considerable efforts to track and counter Kimsuky’s activities.

Initiatives include raising awareness about the group’s tactics, techniques, and procedures (TTPs), and developing specific cybersecurity measures to mitigate their threats.

Nevertheless, the ever-evolving nature of cyber threats necessitates continuous vigilance and proactive measures.

Organizations are advised to maintain robust security protocols, provide regular employee training on cyber threats, and ensure systems and software are always up-to-date.

Indicators of Compromise (IoCs)

Kimsuky’s operations leave behind a trail of digital breadcrumbs that can be used to detect their activities. These indicators of compromise (IoCs) are critical in identifying the group’s presence and mitigating their threats.

Domains Used by Kimsuky

Kimsuky has been linked to a myriad of domains, which they use as part of their phishing campaigns and malware distribution networks. Some of the domains associated with Kimsuky include:

login.bignaver[.]com
nytimes.onekma[.]com
webuserinfo[.]com
member.navier.pe[.]hu
nid.naver.onektx[.]com
pro-navor[.]com
cloudnaver[.]com
read.tongilmoney[.]com
naver[.]pw
resetprofile[.]com
nid.naver.unicrefia[.]com
daurn[.]org
servicenidnaver[.]com
mail.unifsc[[.]com
naver.com[.]de
account.daurn.pe[.]hu
member.daum.unikortv[.]com
ns.onekorea[.]me
login.daum.unikortv[.]com
securetymail[.]com
riaver[.]site
account.daum.unikortv[.]com
help-navers[.]com
mailsnaver[.]com
daum.unikortv[.]com
beyondparallel.sslport[.]work
cloudmail[.]cloud
member.daum.uniex[.]kr
comment.poulsen[.]work
helpnaver[.]com
jonga[.]ml
impression.poulsen[.]work
view-naver[.]com
myaccounts.gmail.kr-infos[.]com
statement.poulsen[.]work
view-hanmail[.]net
naver.hol[.]es
demand.poulsen[.]work
login.daum.net-accounts[.]info
dept-dr.lab.hol[.]es
sankei.sslport[.]work
read-hanmail[.]net
Daurn.pe[.]hu
sts.desk-top[.]work
net.tm[.]ro
Bigfile.pe[.]hu
hogy.desk-top[.]work
daum.net[.]pl
Cdaum.pe[.]hu
kooo[.]gq
usernaver[.]com
eastsea.or[.]kr
tiosuaking[.]com
naver.com[.]ec
myaccount.nkaac[.]net
help.unikoreas[.]kr
naver.com[.]mx
naver.koreagov[.]com
resultview[.]com
naver.com[.]se
naver.onegov[.]com
account.daum.unikftc[.]kr
naver.com[.]cm
member-authorize[.]com
ww-naver[.]com
nid.naver.com[.]se
naver.unibok[.]kr
vilene.desk-top[.]work
csnaver[.]com
nid.naver.unibok[.]kr
amberalexander.ghtdev[.]com
nidnaver[.]email
read-naver[.]com
nidnaver[.]net
cooper[.]center
dubai-1[.]com
coinone.co[.]in
nidlogin.naver.corper[.]be
amberalexander.ghtdev[.]com
naver.com[.]pl
nid.naver.corper[.]be
gloole[.]net
naver[.]cx
naverdns[.]co
smtper[.]org
smtper[.]cz
naver.co[.]in
login.daum.kcrct[.]ml
myetherwallet.com[.]mx
downloadman06[.]com
login.outlook.kcrct[.]ml
myetherwallet.co[.]in
loadmanager07[.]com
top.naver.onekda[.]com
com-download[.]work
com-option[.]work
com-sslnet[.]work
com-vps[.]work
com-ssl[.]work
desk-top[.]work
intemet[.]work
jp-ssl[.]work
org-vip[.]work
sslport[.]work
sslserver[.]work
ssltop[.]work
taplist[.]work
vpstop[.]work
webmain[.]work
preview.manage.org-view[.]work
intranet.ohchr.account-protect[.]work

Additionally, Kimsuky has used several redacted domains to carry out its objectives, including:

[REDACTED]/home/dwn[.]php?van=101

[REDACTED]/home/dwn[.]php?v%20an=101

[REDACTED]/home/dwn[.]php?van=102

[REDACTED]/home/up[.]php?id=NQDPDE

[REDACTED]/test/Update[.]php?wShell=201

These IoCs can support organizations in fortifying their cybersecurity measures and mitigating the potential threats posed by Kimsuky.

However, as the group’s tactics evolve, it’s crucial to stay updated with the latest developments in their activities.

Conclusion

Kimsuky represents a significant threat to organizations worldwide, particularly those operating in sensitive sectors. As the group continues to evolve its TTPs, so too must our defenses.

Its activities underline the increasingly prominent role of state-sponsored cyber-espionage in geopolitical conflicts.

As such, organizations, especially those dealing with sensitive political, economic, or scientific information, need to be vigilant and proactive in their cybersecurity efforts to counter such threats.

By understanding Kimsuky’s motivations and IoCs, we can better prepare ourselves for this persistent and advanced threat.