1. Home
  2. Groups
  3. Kimsuky

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.[1][2][3][4][5]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[6][7][8]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0094
Associated Groups: STOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima
Version: 3.0
Created: 26 August 2019
Last Modified: 14 October 2021

Associated Group Descriptions

Name Description
STOLEN PENCIL

[6]
Thallium

[3][4]
Black Banshee

[3][4]
Velvet Chollima

[9][10][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Kimsuky has registered domains to spoof targeted organizations and trusted third parties.[10][11][5][3][4]
Enterprise T1557 Adversary-in-the-Middle

Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.[5]
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Kimsuky has used FTP to download additional malware to the target machine.[12]
.003 Application Layer Protocol: Mail Protocols

Kimsuky has used e-mail to send exfiltrated data to C2 servers.[5]
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.[13]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[13][5][14]
Enterprise T1176 Browser Extensions

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[9][6]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1][5]
.005 Command and Scripting Interpreter: Visual Basic

Kimsuky has used Visual Basic to download malicious payloads.[10][12][14]
.006 Command and Scripting Interpreter: Python

Kimsuky has used a Mac OS Python implant to gather data.[5]
.007 Command and Scripting Interpreter: JavaScript

Kimsuky has used JScript for logging and downloading additional tools.[12][5]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

Kimsuky has compromised email accounts to send spearphishing e-mails.[12][4]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.[13][5]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.[9][5][6]
Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[13]
Enterprise T1074 .001 Data Staged: Local Data Staging

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.[5]
Enterprise T1587 Develop Capabilities

Kimsuky created and used a mailing toolkit to use in spearphishing attacks.[12]
Enterprise T1114 .003 Email Collection: Email Forwarding Rule

Kimsuky has set auto-forward rules on victim's e-mail accounts.[5]
Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[13]
Enterprise T1041 Exfiltration Over C2 Channel

Kimsuky has exfiltrated data over its email C2 channel.[13]
Enterprise T1133 External Remote Services

Kimsuky has used RDP to establish persistence.[5]
Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[13]
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.[4]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center.[13]
.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.[13]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[13]
.006 Indicator Removal on Host: Timestomp

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[3]
Enterprise T1105 Ingress Tool Transfer

Kimsuky has used scripts to download additional tools from compromised domains to victim systems.[14]
Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.[1][13][5][6]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Kimsuky has disguised services to appear as benign software or related to operating system functions.[5]
Enterprise T1112 Modify Registry

Kimsuky has modified Registry settings for default file associations to enable the opening of malicious documents.[5][14]
Enterprise T1040 Network Sniffing

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[5][6]
Enterprise T1027 Obfuscated Files or Information

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[10][12]
.002 Software Packing

Kimsuky has packed malware with UPX.[4]
Enterprise T1588 .002 Obtain Capabilities: Tool

Kimsuky has obtained and used tools such as Mimikatz and PsExec.[6]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Kimsuky has gathered credentials using Mimikatz and ProcDump.[5][6]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[9][13][10][12][3][4]
.002 Phishing: Spearphishing Link

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[1][6]
Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Kimsuky has used links in e-mail to steal account information.[12][4]
Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[13]
Enterprise T1219 Remote Access Software

Kimsuky has used a modified TeamViewer client as a command and control channel.[13][14]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Kimsuky has used RDP for direct remote point-and-click access.[6]
Enterprise T1593 .001 Search Open Websites/Domains: Social Media

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.[4]
Enterprise T1505 .003 Server Software Component: Web Shell

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.[5]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Kimsuky has used mshta.exe to run malicious scripts on the system.[1][5][14]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Kimsuky has signed files with the name EGIS CO,. Ltd..[10]
Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[13]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Kimsuky has used tools that are capable of obtaining credentials from saved mail.[6]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Kimsuky has used pass the hash for authentication to remote access software used in C2.[5]
Enterprise T1204 .002 User Execution: Malicious File

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[10][12][5][3][4]
Enterprise T1078 .003 Valid Accounts: Local Accounts

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[6]

Software

ID Name References Techniques
S0622 AppleSeed [4] Access Token Manipulation, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Masquerading, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Attachment, Process Discovery, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Network Configuration Discovery, System Time Discovery, User Execution: Malicious File
S0414 BabyShark [5][3][14] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0527 CSPY Downloader [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Modify Registry, Obfuscated Files or Information: Software Packing, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks
S0526 KGH_SPY [3] Application Layer Protocol: Web Protocols, Boot or Logon Initialization Scripts: Logon Script (Windows), Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Software Discovery, System Information Discovery, User Execution: Malicious File
S0002 Mimikatz [6] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0353 NOKKI [14] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0029 PsExec [6] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0111 schtasks [3] Scheduled Task/Job: Scheduled Task

References

  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
  3. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  4. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  5. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  6. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  7. ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
  1. AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
  2. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  3. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  4. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.
  5. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  6. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  7. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.