The Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) this week issued Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by North Korean advanced persistent threat (APT) group Kimusky. https://us-cert.cisa.gov/ncas/alerts/aa20-301a
The Alert, co-authored by the Federal Bureau of Investigation (FBI) and the U.S. Cyber Command Cyber National Mission Force, “describes the tactics, techniques and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government.”
The key findings of the government on Kimsuky’s activities include:
- The Kimsuky APT group has most likely been operating since 2012.
- Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
- Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
- Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
- Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
- Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
- Kimsuky specifically targets:
- Individuals identified as experts in various fields,
- Think tanks, and
- South Korean government entities.
- CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
The methods used by Kimsuky include social engineering and spearphishing, which are outlined in the Alert and are worth reviewing. After obtaining access, Kimsuky uses BabyShark Malware, PowerShell or the Windows Command Shell to execute the malware.
The Alert lists the indicators of compromise, including domains that have been used by Kimsuky, which IT professionals may wish to consult.