This week, a joint cybersecurity advisory was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). The advisory warned that a North Korean advanced persistent threat (APT) group known as “Kimsuky” was directed at worldwide targets in an effort to gain intelligence on various topics of interest to the government in Pyongyang.
The alert addressed the tactics, techniques, and procedures (TTPs) being employed by the hacker group, while the United States government has referred to all malicious cyber activity by or at the behest of the North Korean government as HIDDEN COBRA.
The fact that the joint advisory was released is notable in that it acknowledges extensive details into Kimsuky’s methods.
“Historically, the U.S. government has received a lot of criticism from the cybersecurity community about their reporting,” said Katie Nickels, director of intelligence at threat detection and response specialists Red Canary, in an email to ClearanceJobs.
“Many times, governments are not able to share details of activity because of sensitive sources and methods they used to acquire the information,” Nickels added. “However, many researchers have criticized the government for not sharing actionable context and information about cyber threats. In a departure from that history, the report released by DHS, FBI, and CYBERCOM contains many details about cyber threats that defenders could action. It provides both behavior-based details as well as indicators of compromise from both the endpoint and network perspectives, which would allow defenders with various collections and visibility to identify these threats.”
Spearphishing and Social Engineering Efforts
Unlike recent cyber efforts that are being directed from China, which exploit software vulnerabilities, Kimsuky uses a combination of spearphishing and social engineering methods to obtain access to a victim’s network. These efforts included using stolen web hosting credentials, but also the sending of benign emails to targets that appeared to come from South Korean reporters. After targets agreed to an interview, Kimsuky would send a subsequent email that included malicious code within documents or other files – and these typically contained a variant of the BabyShark malware.
To lure targets, Kimsuky would tailor the spearphishing and social engineering efforts to include relevant topics, such as Covid-19, and North Korea’s nuclear program. To conceal that the host’s computer may have been infected, Kimsuky would send an email canceling the interview.
According to the advisory the Kimsuky, APT has been operating since 2012, and was likely tasked by the regime in Pyongyang with a global intelligence gathering mission. It employs common social engineering tactics, and has conducted intelligence collective activities against individuals and organizations in South Korea, Japan, and the United States.
Its intelligence collection activities have focused on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. The main targets have been experts in various fields, think tanks, and South Korean government entities.
“The U.S.-CERT alert on the North Korean APT group known as Kimsuky is not surprising, coming so soon after a similar alert about APT groups operating out of China,” explained cybersecurity expert Saryu Nayyar, CEO of Gurucul.
“State, and state sponsored attacks have existed for years, but have grown higher profile and less covert over time,” Nayyar told ClearanceJobs via an email. “The DPRK (Democratic People’s Republic of North Korea) has used cyberattacks as a form of asymmetric warfare for years, and is suspected of being behind a number of high-profile attacks against civilian targets.”
The CISA, FBI, and CNMF have recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
“Organizations can defend themselves by using best of breed security solutions, including behavioral analytics, and by educating their user base to defend against the social engineering and spear phishing attacks this group often employs,” Nayyar added.