Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:15 PM
Connect Directly

New Tools Make North Korea's Kimsuky Group More Dangerous

Threat actor actively targeting US organizations in global intelligence-gathering campaign, government says.

Kimsuky — a dangerous North Korean threat group that the Department of Homeland Security (DHS) last week warned is actively targeting US organizations — has acquired new tools for carrying out its cyber-espionage operations with greater stealth and precision.

Among those in its crosshairs are organizations in the pharmaceutical sector, research institutes, think tanks, and entities with a nexus to foreign policy and national security issues — including nuclear policy and sanctions — related to the Korean peninsula.

Related Content:

North Korea's Lazarus Group Developing Cross-Platform Malware Framework

The Changing Face of Threat Intelligence

New on The Edge: How Can I Help Remote Workers Secure Their Home Routers?

Cybereason, one of several security vendors that have been tracking Kimsuky over the past few years, this week said a new analysis shows the group has acquired previously undocumented capabilities that make it more potent.

Among them is a modular spyware suite dubbed KGH_SPY with multiple components for collecting sensitive data, to spy on users, execute arbitrary commands, plant backdoors, and carry out other malicious activities. One of KGH_SPY's components is an information stealer that can harvest data from browsers, Windows Credential Manager, WINSCP, and mail clients. At the time of writing the report, no antivirus vendor's products detected the component, Cybereason said. The Kimsuky group is also using another new tool called CSPY to evade malware detection tools and to determine if a system is safe for it to download additional malware.

"The newly discovered tool set appears to be very focused on information collection, likely to support [Kimsuky's] espionage efforts," says Assaf Dahan, senior director, head of threat research, at Cybereason.

The malware seems to be the newest addition to Kimsuky's arsenal and shows the manner in which the group has kept retiring older tools that either get exposed via security researchers or have become outdated, Dahan says.

Kimsuky — also tracked as Thallium, Velvet Chollima, and Black Banshee by various vendors — is a threat group that has been around since at least 2012. The US government and others have described it as being part of broader set of North Korea-sponsored malicious activity collectively referred to as "Hidden Cobra."

Over the years, Kimsuky has been associated with numerous attacks designed apparently to gather intelligence on topics of interest to Pyongyang. In that respect, the group is different from other North Korean groups, such as Lazarus, which have also conducted financially motivated attacks — like ransomware attacks, cryptomining, and online bank heists — to raise finances for the cash-strapped government.

Pharmaceuticals, Research Companies Being Targeted
Dahan says Kimsuky poses a particular threat to pharmaceutical and research companies working on COVID-19 vaccines and therapies, human rights groups, education and academic organizations, government research institutes, and journalists covering the Korean peninsula.

Last week, the FBI, the DHS's Cybersecurity and Infrastructure Agency (CISA) and US Cyber Command Cyber National Mission Force (CNMF) released a joint advisory with details on the group's tactics, techniques, and procedures.

The advisory warned of Kimsuky being actively engaged in a global intelligence-gathering campaign, most likely on behalf of the North Korean regime. It urged organizations that likely are of interest to the group to be on the lookout for watering-hole attacks, spear-phishing, and other social engineering tactics designed to attempt initial access on their networks.

In previous attacks, the group has been known to send benign emails to targets in an attempt to earn their trust, the advisory noted. Often the recipients are regarded as experts in their field. One tactic the group has used is for members to pose as South Korean reporters seeking to schedule an interview with a particular target on some matter pertinent to the Korean peninsula. Targets who fall for the scam subsequently have received email messages with a malicious attachment or as a Google Drive link in the body.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI, the alert said. "Give the activity the highest priority for enhanced mitigation," it noted.

Dahan says it's unclear what exactly might have prompted the advisory at this time. "Kimsuky is one of the most industrious threat groups operating in the current cyber-threat landscape," he says. "I can speculate that based on the increase in the group's activity that we have been seeing, targeting various industries worldwide and American interests, they might have found it timely to issue that threat report."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.