U.S. Shares Information on North Korean Threat Actor 'Kimsuky'

An alert released by the United States this week provides information on Kimsuky, a threat actor focused on gathering intelligence on behalf of the North Korean government.

Issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Cyber Command Cyber National Mission Force (CNMF), the advisory notes that the adversary has been active since at least 2012, engaging in social engineering, spear-phishing, and watering hole attacks.

The malicious cyber activity associated with the North Korean government is typically referred to as HIDDEN COBRA by the United States.

Kimsuky, the alert says, targets individuals and organizations located in Japan, South Korea, and the United States, and is mainly focused on gathering intelligence on “foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.”

Targets include entities associated with the South Korean government, individuals who are believed to be experts in various fields, and think tanks.

For initial access, Kimsuky uses spear-phishing with malicious attachments, and various social engineering methods. However, the threat actor would also send benign emails to gain victims’ trust. Malicious scripts and tools are hosted using stolen web hosting credentials, the alert reads.

The adversary was observed posing as South Korean reporters and engaging with intended targets to claim to be arranging interviews on inter-Korean issues and denuclearization negotiations. To one recipient who agreed to an interview, Kimsuky sent a malicious document in a subsequent email, to infect the victim with a variant of the BabyShark malware.

The em ..