US federal agencies warn organisations of global hacking campaign by North Korean Kimsuky group
The group is specifically interested in gaining intelligence on issues related to the Korean peninsula
US federal agencies on Tuesday published an advisory to warn businesses and government organisations of an advanced North Korean hacking group that has been running cyber campaigns to collect sensitive information on various topics of interest to the North Korean regime.
The alert, jointly published by Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Cyber Command, provides detailed technical information about the cyber activities of the Kimsuky threat group, including its tactics, techniques and procedures.
According to the US officials, Kimsuky has targeted a large number of entities in the US, Japan and South Korea in recent years to gather intelligence on issues including sanctions and nuclear policy. The members of the group appear to be specifically interested in gaining intelligence on issues related to the Korean peninsula.
The group has been active since 2012, and has targeted several South Korean government departments, think tanks, and "individuals identified as experts in various fields" in recent years.
Kimsuky, also sometimes referred to as the Velvet Chollima group, is likely linked to the North Korean government, according to officials.
To gain initial access to victim's machine, it typically uses spear-phishing emails and watering hole attacks.
"The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools," the advisory says.
Kimsuky also uses a variety of other methods to gain initial access, such as distributing malicious programs through torrent sharing sites, directing victims to install malicious browser extensions, and using login-security-alert-themed emails.
After gaining initial access, the group uses BabyShark malware and PowerShell or the Windows Command Shell for Execution.
Kimsuky is thought to be responsible for 2014 cyber attacks against Korea Hydro & Nuclear Power Co., which operates nuclear power plants in South Korea. In recent months, the group has been observed sending spear-phishing emails with Covid-19- themed lures in attempts to take advantage of the pandemic to steal confidential information from victims.
According to CrowdStrike's 2020 Global Threat Report, Kimsuky has recently started targeting cryptocurrency exchanges and users to run "currency-generation operations".
The US agencies advise private entities and individuals within Kimsuky's target profile to take all appropriate measures to improve the security of their systems and networks.
"Particularly important mitigations include safeguards against spear-phishing, use of multi-factor authentication, and user awareness training," they state.
The latest alert from US agencies has come nearly two months after they warned in August that North Korea-backed 'BeagleBoyz' group had been using remote access malware tools to steal millions of dollars from banks around the world.
They referred to the campaign as "Fast Cash" and claimed that the main aim of those activities was to fund the North Korean government by initiating fraudulent money transfers from banks and causing ATMs to spit out cash.