Headline
North Korea's Kimsuky APT Keeps Growing, Despite Public Outing
Kim Jong Un’s Swiss Army knife APT continues to spread its tendrils around the world, showing it’s not intimidated by the researchers closing in.
Globally, interest has surged around North Korea’s Kimsuky advanced persistent threat group (a.k.a. APT43) and its hallmarks. Still, the group is showing no signs of slowing down despite the scrutiny.
Kimsuky is a government-aligned threat actor whose main aim is espionage, often (but not exclusively) in the fields of policy and nuclear weapons research. Its targets have spanned the government, energy, pharmaceutical, and financial sectors, and more beyond that, mostly in countries that the DPRK considers arch-enemies: South Korea, Japan, and the United States.
Kimsuky is by no means a new outfit — CISA has traced the group’s activity all the way back to 2012. Interest peaked last month thanks to a report from cybersecurity firm Mandiant, and a Chrome extension-based campaign that led to a joint warning from German and Korean authorities. In a blog published April 20, VirusTotal highlighted a spike in malware lookups associated with Kimsuky, as demonstrated in the graph below.
Volume of lookups for Kimsuky malware samples. Source: Virus Total
Many an APT has crumbled under increased scrutiny from researchers and law enforcement. But signs show Kimsuky is unfazed.
“Usually when we publish insights they’ll go 'Oh, wow, we’re exposed. Time to go underground,’” says Michael Barnhart, principal analyst at Mandiant, of typical APTs.
In Kimsuky’s case, however, “no one cares at all. We’ve seen zero slowdown with this thing.”
What’s Going on With Kimsuky?
Kimsuky has gone through many iterations and evolutions, including an outright split into two subgroups. Its members are most practiced at spear phishing, impersonating members of targeted organizations in phishing emails — often for weeks at a time — in order to get closer to the sensitive information they’re after.
The malware they’ve deployed over the years, however, is far less predictable. They’ve demonstrated equal capability with malicious browser extensions, remote access Trojans, modular spyware, and more, some of it commercial and some not.
In the blog post, VirusTotal highlighted the APT’s propensity for delivering malware via .docx macros. In a few cases, though, the group utilized CVE-2017-0199, a 7.8 high severity-rated arbitrary code execution vulnerability in Windows and Microsoft Office.
With the recent uptick in interest around Kimsuky, VirusTotal has revealed that most uploaded samples are coming from South Korea and the United States. This tracks with the group’s history and motives. However, it also has its tendrils in countries one might not immediately associate with North Korean politics, like Italy and Israel.
For example, when it comes to lookups — individuals taking an interest in the samples — the second most volume comes from Turkey. “This may suggest that Turkey is either a victim or a conduit of North Korean cyber attacks,” according to the blog post.
Kimsuky malware sample lookups by country. Source: VirusTotal
How to Defend Against Kimsuky
Because Kimsuky targets organizations across countries and sectors, the range of organizations who need to worry about them is greater than most nation-state APTs.
“So what we’ve been preaching everywhere,” Barnhart says, “is strength in numbers. With all these organizations around the world, it’s important that we all talk to each other. It’s important that we collaborate. No one should be operating in a silo.”
And, he emphasizes, because Kimsuky uses individuals as conduits for greater attacks, everybody has to be on the lookout. “It’s important that we all have this baseline of: don’t click on links, and use your multi-factor authentication.”
With simple safeguards against spear phishing, even North Korean hackers can be thwarted. “From what we’re seeing, it does work if you actually take the time to follow your cyber hygiene,” Barnhart notes.
Related news
Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.
This article explains the inner workings of the Remcos RAT, a dangerous malware that uses advanced techniques to…
More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,
Chinese-speaking users are the target of an ongoing campaign that distributes malware known as ValleyRAT. "ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage," Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio said. "Another noteworthy characteristic of this malware is its
The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka.
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the
Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains
By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks. Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack met...
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.