Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:15 PM
Connect Directly

New Tools Make North Korea's Kimsuky Group More Dangerous

Threat actor actively targeting US organizations in global intelligence-gathering campaign, government says.

Kimsuky — a dangerous North Korean threat group that the Department of Homeland Security (DHS) last week warned is actively targeting US organizations — has acquired new tools for carrying out its cyber-espionage operations with greater stealth and precision.

Among those in its crosshairs are organizations in the pharmaceutical sector, research institutes, think tanks, and entities with a nexus to foreign policy and national security issues — including nuclear policy and sanctions — related to the Korean peninsula.

Related Content:

North Korea's Lazarus Group Developing Cross-Platform Malware Framework

The Changing Face of Threat Intelligence

New on The Edge: How Can I Help Remote Workers Secure Their Home Routers?

Cybereason, one of several security vendors that have been tracking Kimsuky over the past few years, this week said a new analysis shows the group has acquired previously undocumented capabilities that make it more potent.

Among them is a modular spyware suite dubbed KGH_SPY with multiple components for collecting sensitive data, to spy on users, execute arbitrary commands, plant backdoors, and carry out other malicious activities. One of KGH_SPY's components is an information stealer that can harvest data from browsers, Windows Credential Manager, WINSCP, and mail clients. At the time of writing the report, no antivirus vendor's products detected the component, Cybereason said. The Kimsuky group is also using another new tool called CSPY to evade malware detection tools and to determine if a system is safe for it to download additional malware.

"The newly discovered tool set appears to be very focused on information collection, likely to support [Kimsuky's] espionage efforts," says Assaf Dahan, senior director, head of threat research, at Cybereason.

The malware seems to be the newest addition to Kimsuky's arsenal and shows the manner in which the group has kept retiring older tools that either get exposed via security researchers or have become outdated, Dahan says.

Kimsuky — also tracked as Thallium, Velvet Chollima, and Black Banshee by various vendors — is a threat group that has been around since at least 2012. The US government and others have described it as being part of broader set of North Korea-sponsored malicious activity collectively referred to as "Hidden Cobra."

Over the years, Kimsuky has been associated with numerous attacks designed apparently to gather intelligence on topics of interest to Pyongyang. In that respect, the group is different from other North Korean groups, such as Lazarus, which have also conducted financially motivated attacks — like ransomware attacks, cryptomining, and online bank heists — to raise finances for the cash-strapped government.

Pharmaceuticals, Research Companies Being Targeted
Dahan says Kimsuky poses a particular threat to pharmaceutical and research companies working on COVID-19 vaccines and therapies, human rights groups, education and academic organizations, government research institutes, and journalists covering the Korean peninsula.

Last week, the FBI, the DHS's Cybersecurity and Infrastructure Agency (CISA) and US Cyber Command Cyber National Mission Force (CNMF) released a joint advisory with details on the group's tactics, techniques, and procedures.

The advisory warned of Kimsuky being actively engaged in a global intelligence-gathering campaign, most likely on behalf of the North Korean regime. It urged organizations that likely are of interest to the group to be on the lookout for watering-hole attacks, spear-phishing, and other social engineering tactics designed to attempt initial access on their networks.

In previous attacks, the group has been known to send benign emails to targets in an attempt to earn their trust, the advisory noted. Often the recipients are regarded as experts in their field. One tactic the group has used is for members to pose as South Korean reporters seeking to schedule an interview with a particular target on some matter pertinent to the Korean peninsula. Targets who fall for the scam subsequently have received email messages with a malicious attachment or as a Google Drive link in the body.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI, the alert said. "Give the activity the highest priority for enhanced mitigation," it noted.

Dahan says it's unclear what exactly might have prompted the advisory at this time. "Kimsuky is one of the most industrious threat groups operating in the current cyber-threat landscape," he says. "I can speculate that based on the increase in the group's activity that we have been seeing, targeting various industries worldwide and American interests, they might have found it timely to issue that threat report."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).