Engineer in :

TEKUP UNIVERSITY Security of Computer

Systems and Networks

Mini Project Threat

Intelligence
Introduced to

Private Higher School of Technology

and Engineering TEKUP

Prepared By :
SAssi Khouloud
Kessentini Feres

Kimsuky
 TABLE DES MATIÈRES

LISTE DES FIGURES iii

General Introduction 1

1 Threat Actor Analysis : kimsuky 2

1.1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Threat Actor Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1.1 Introduction : . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1.2 Purpose : . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1.3 Scope : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Importance of Studying Threat Actors . . . . . . . . . . . . . . . . . . 3
1.1.2.1 Strategic Defense : . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2.2 Incident Response : . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2.3 Risk Mitigation : . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2.4 Regulatory Compliance : . . . . . . . . . . . . . . . . . . . 4
1.1.3 Overview of Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3.1 Background : . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3.2 Evolution : . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.3.3 Strategic Significance : . . . . . . . . . . . . . . . . . . . . 5
1.2 Introduction of the Threat Actor . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 Timeline of Their Activity . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Threat Actor Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.2.1 Who is Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2.2 Kimsuky Attack . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.2.3 Tools and Vulnerabilities Used by Kimsuky . . . . . . . . . 10
1.2.2.4 The Targets of Kimsuky . . . . . . . . . . . . . . . . . . . . 12
1.2.2.5 Operations of Kimsuky . . . . . . . . . . . . . . . . . . . . 13
1.2.2.6 South Korean Nuclear Reactor Cyberattack . . . . . . . . . 13
1.2.2.7 Operation Stolen Pencil . . . . . . . . . . . . . . . . . . . . 14

TEKUP Page i
TABLE DES MATIÈRES

1.2.2.8 Foreign Ministries and Think Tanks Spearphishing Campaign 14

1.2.2.9 Operation AppleSeed . . . . . . . . . . . . . . . . . . . . . 15
1.2.2.10 Operation CloudDragon . . . . . . . . . . . . . . . . . . . 15
1.2.2.11 Emulating Kimsuky’s Espionage Operations . . . . . . . . . 16
1.2.2.12 Social Engineering and Spearphishing Campaigns . . . . . . 16
1.2.2.13 Connections with Other APT Groups . . . . . . . . . . . . . 17
1.2.2.14 Recent Actions Against Kimsuky & New Tactics of Kimsuky 18
1.3 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4 How to Defend Against Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.5 Security Recommendations Against Kimsuky . . . . . . . . . . . . . . . . . . 20
1.6 Indicators of compromise (IOC) . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.7 MITRE ATTACK TTPs Used by Kimsuky . . . . . . . . . . . . . . . . . . . . 22

GENERAL CONCLUSION 24

BIBLIOGRAPHIE 24

TEKUP Page ii
 LISTE DES FIGURES

1.1 Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Activity timeline for Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Represents North Korean cyber threat actors (created with Bing Image Creation
powered by Dall-E). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Kimsuky’s aliases (Source : SOCRadar) . . . . . . . . . . . . . . . . . . . . . 7
1.5 Smoke Screen attack employed a legitimate spearphishing email with a malicious
HWP file (Source : ESTsecurity) . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.6 Kimsuky’s Malicious Google Chrome Extension Sharpext’s process flow (Source :
Volexity) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.7 Vulnerability intelligence screenshot of CVE-2017-0199 . . . . . . . . . . . . 10
1.8 Observed Malware and Software associated with Kimsuky . . . . . . . . . . . 11
1.9 Observed CVEs used by Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . 12
1.10 Countries affected by Kimsuky . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.11 Campaign Page of Recon Shark, the tool used by Kimsuky . . . . . . . . . . . 15
1.12 Example of an email that is impersonating a think tank researcher . . . . . . . 16
1.13 SOCRadar XTI Threat Actor page of Kimsuky . . . . . . . . . . . . . . . . . 18
1.14 Company Vulnerabilities page under the Attack Surface Management Module . 21
1.15 IOC (AppleSeed)) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.16 MITRE ATTACK TTPs Used by Kimsuky . . . . . . . . . . . . . . . . . . . . 23

TEKUP Page iii

 General Introduction

Kimsuky is a putative North Korean state-sponsored cyber espionage outfit, according to

my most recent information update in January 2022. It should be noted that knowledge about
such groups might change over time, and new developments may have occurred since then.

Kimsuky attracted attention for its claimed involvement in cyber-espionage activities, with a
primary focus on South Korea and other nearby nations. The organization has related to different
initiatives intended at collecting sensitive information, performing reconnaissance, and carrying
out cyber assaults since at least 2013. Kimsuky often uses spear-phishing emails, malware
distribution, and social engineering to infiltrate its targets. The organization has been connected
to assaults against government bodies, military groups, and defense contractors, with the goal
of acquiring intelligence and perhaps assisting North Korea’s strategic goals.

To have a more accurate and current understanding of groups like Kimsuky and their operations,
it’s critical to remain up to speed with the newest information and cybersecurity reports. Keep
in mind that the cyber threat landscape may evolve quickly, and new discoveries may have
occurred after my last update.

TEKUP Page 1
Chapitre

1
Threat Actor Analysis : kimsuky

Sommaire
1.1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 Threat Actor Analysis . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Importance of Studying Threat Actors . . . . . . . . . . . . . . 3
1.1.3 Overview of Kimsuky . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Introduction of the Threat Actor . . . . . . . . . . . . . . . . . 5
1.2.1 Timeline of Their Activity . . . . . . . . . . . . . . . . . . . . . 6
1.2.2 Threat Actor Profile . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4 How to Defend Against Kimsuky . . . . . . . . . . . . . . . . . 20
1.5 Security Recommendations Against Kimsuky . . . . . . . . . 20
1.6 Indicators of compromise (IOC) . . . . . . . . . . . . . . . . . . 21
1.7 MITRE ATTACK TTPs Used by Kimsuky . . . . . . . . . . . 22

TEKUP Page 2
THREAT ACTOR ANALYSIS : KIMSUKY

1.1 INTRODUCTION

1.1.1 Threat Actor Analysis

1.1.1.1 Introduction :

Organizations are increasingly challenged with complex threats sponsored by hostile actors
as cybersecurity environments evolve. Threat actor analysis is a critical subject within cybersecurity,
encompassing the in-depth assessment of threat actors’ strategies, methods, and procedures
(TTPs) used to breach systems, steal data, and disrupt operations.

1.1.1.2 Purpose :

Understanding threat actors is similar to solving the puzzle of cyber threats. It entails investigating
the motives, tactics, and tools used by malevolent actors in order to strengthen defenses, proactively
detect possible threats, and effectively respond to cyber events.

1.1.1.3 Scope :

Threat actor analysis covers a wide range of operations, including the investigation of
state-sponsored groups, criminal organizations, hacktivists, and other entities involved in cybercrime.
Defenders get vital insights into the dynamic nature of cyber threats by deconstructing their
activities.

1.1.2 Importance of Studying Threat Actors

1.1.2.1 Strategic Defense :

The cybersecurity world is changing, and attackers are growing more complex. Organizations
that want to establish strategic defensive measures must first study threat actors. Defenders can
successfully anticipate and prevent possible threats by studying their attackers.

TEKUP Page 3
THREAT ACTOR ANALYSIS : KIMSUKY

1.1.2.2 Incident Response :

In the case of a cyber crisis, having a thorough awareness of threat actors helps firms
to respond quickly and efficiently. Incident responders equipped with information about the
precise strategies employed by threat actors may quickly contain, remove, and recover from a
security breach.

1.1.2.3 Risk Mitigation :

Threat actor analysis offers enterprises with actionable intelligence to help them mitigate
risks more effectively. Organizations may deploy targeted security measures to protect their
digital assets by analyzing patterns and trends in the techniques used by threat actors.

1.1.2.4 Regulatory Compliance :

Compliance with regulatory requirements is required in many businesses. Understanding

the threat landscape is critical for compliance, as it enables firms to establish controls and
procedures that fit with industry-specific cybersecurity regulations.

1.1.3 Overview of Kimsuky

1.1.3.1 Background :

Kimsuky is a well-known North Korean threat actor with a track record of state-sponsored
cyber espionage. This research digs into their activity schedule, their distinct threat actor profile,
and the tactics they use to achieve their goals.

1.1.3.2 Evolution :

Kimsuky’s growth as a threat actor emphasizes the importance of ongoing study. Organizations
may predict future approaches and strengthen their resistance against emerging threats by tracking
their actions over time.

TEKUP Page 4
THREAT ACTOR ANALYSIS : KIMSUKY

1.1.3.3 Strategic Significance :

Kimsuky’s strategic importance stems from its potential influence on geopolitical, economic,
and technical environments. The goals, targets, and tactics of the threat actor provide difficulties
that necessitate a watchful and adaptable cybersecurity posture.

We intend to present a detailed study of Kimsuky in this research, delivering insights that
will enable enterprises to harden their defenses and respond effectively to the changing threat
landscape.

1.2 Introduction of the Threat Actor

Kimsuky (also known as Velvet Chollima, Black Banshee, and Thallium) is a well-known
state-sponsored threat actor from North Korea. Since 2012, the gang has been targeting companies
and people with new phishing themes. It has a history of initiating attacks against countries
such as Japan, the United States, Russia, and European countries. Kimsuky agents specialize
in collecting intelligence secrets from the United States and its closest Asian allies, including
Japan and South Korea. Kimsuky’s principal focus in recent campaigns has been pharmaceutical
companies.

F IGURE 1.1 – Kimsuky

TEKUP Page 5
THREAT ACTOR ANALYSIS : KIMSUKY

1.2.1 Timeline of Their Activity

— 2013 : First observed targeting South Korean government entities and defectors
— 2015 : Expanded targets to include think tanks and defense contractors
— 2017 : Deployed "Operation Moonrise" campaign targeting South Korean nuclear
operators
— 2018 : Used stolen South Korean military documents to impersonate officials in
spear-phishing attacks
— 2020 : Employed malicious Chrome extensions and exploited Microsoft vulnerabilities
— 2021 : Leverages new malware strains like KGH_SPY and CSPY Downloader
— 2022 : Targets research institutes in South Korea with backdoor attacks

F IGURE 1.2 – Activity timeline for Kimsuky

1.2.2 Threat Actor Profile

For a long time, the Korean Peninsula has been a hub of activity in cyberspace. With the
confrontation between North and South Korea escalating, North Korean Advanced Persistent
Threats (APTs) are emerging as the preferred weapon. One name jumps out among these :
Kimsuky.

TEKUP Page 6
THREAT ACTOR ANALYSIS : KIMSUKY

North Korean APTs have been behind some of the most daring cyber-attacks in recent
memory. According to a United Nations assessment, North Korean hackers stole more than $2
billion from banks and cryptocurrency exchanges. These cash are thought to be used to support
North Korea’s nuclear programs.

F IGURE 1.3 – Represents North Korean cyber threat actors (created with Bing Image Creation
powered by Dall-E).

1.2.2.1 Who is Kimsuky

Kimsuky (or APT43), a moniker that sends shockwaves across the cybersecurity industry,
is a cyber-espionage outfit based in North Korea. Kimsuky, first spotted in 2013, has been
determined to pursue sensitive material, especially in South Korea but also in the United States
and Europe.

F IGURE 1.4 – Kimsuky’s aliases (Source : SOCRadar)

TEKUP Page 7
THREAT ACTOR ANALYSIS : KIMSUKY

— 1-Origin :Kimsuky is thought to have ties to North Korea (Democratic People’s

Republic of Korea). Attribution may be difficult in the world of cybersecurity,
however security researchers and experts have connected Kimsuky to North Korean
state-sponsored cyber activity.
— 2-Different Names :APT43, Black Banshee, Emerald Sleet, G0086, Operation Stolen
Pencil, Thallium, Velvet Chollima
— 3-Objective :Kimsuky’s principal goal is cyber espionage. The group is notorious
for targeting organizations and individuals in order to acquire intelligence, notably
in the areas of politics, military, and economics also research institutions.
— 4-Malwares : pk.fastfire, apk.fastspy, ps1.flowerpower, vbs.randomquery, win.babyshark,
win.grease, win.kimsuky, win.mechanical, win.navrat, win.yorekey, win.alphaseed,
win.appleseed
— -5Targets :Kimsuky is known to target South Korean government agencies, defense
contractors, research institutions, and international businesses active in Korean Peninsula
affairs. Outside of the Korean Peninsula, the group has targeted persons and groups
involved in diplomatic, military, and economic activity.
*Target Industry :
Education and Academic Organizations, Energy, Think Tanks, Ministry of Unification,
Pharmaceutical and Research Institutes, Military, Media.
*Target Countries :
Japan, Europe, USA, South Korea, Russia
So, Primarily South Korea, but has also expanded to Russia, Europe, and the US
Activities : Spear-phishing, malware deployment, information exfiltration, lateral
movement, remote control This threat actor targets South Korean think tanks, industry,
nuclear power operators, and the Ministry of Unification for espionage purposes.
— 6-Motivation :Information theft and Espionage
— 7-Attack Methods :Kimsuky employs common social engineering tactics, spear
phishing, and watering hole attacks to exfiltrate desired information from victims.

1.2.2.2 Kimsuky Attack

Kimsuky uses a variety of techniques to enter systems and obtain sensitive information.
Let’s break down their strategy :
Emails posing as spam
Spearphishing emails are one of the key tactics Kimsuky use to obtain unauthorized access

TEKUP Page 8
THREAT ACTOR ANALYSIS : KIMSUKY

to networks. These are emails that are sent to specific people or groups. Malicious files or
URLs are frequently included in the emails. Kimsuky, for example, is known to employ Hangul
Word Processor (HWP) files, which are popular in South Korea. These files include known
vulnerability exploits or a dropper masquerading as a paper.
Malicious Chrome Extensions

F IGURE 1.5 – Smoke Screen attack employed a legitimate spearphishing email with a malicious
HWP file (Source : ESTsecurity)

Kimsuky has also been spotted infecting users with malicious Google Chrome extensions. They
trick users into visiting websites that look trustworthy and then ask them to install a Chrome
extension. Once installed, this extension can collect browser cookies and passwords.
Exploiting Vulnerabilities

F IGURE 1.6 – Kimsuky’s Malicious Google Chrome Extension Sharpext’s process flow (Source :
Volexity)

TEKUP Page 9
THREAT ACTOR ANALYSIS : KIMSUKY

Kimsuky is well-known for exploiting known software vulnerabilities. They have, for example,
used a vulnerability in Microsoft Word (CVE-2017-0199) to run malicious malware. Kimsuky
may obtain access to computers with minimum notice by keeping a watch on newly identified
vulnerabilities and exploiting them before they are fixed.
Use of Malware

F IGURE 1.7 – Vulnerability intelligence screenshot of CVE-2017-0199

Kimsuky uses malware to keep control of a machine once they have gotten access to it. BabyShark
is one such spyware that collects data from affected systems. Keyloggers and remote control
software are also used to monitor the user’s activity and obtain more information.
Kimsuky’s assaults are meticulously planned and executed. They are a strong danger due to their
ability to utilize a mix of spearphishing, exploiting vulnerabilities, and distributing malware.

1.2.2.3 Tools and Vulnerabilities Used by Kimsuky

Kimsuky conducts cyber espionage campaigns using a range of technologies and exploiting
different vulnerabilities. Take a closer look :
1-Tools :
Kimsuky’s toolbox is wide and diverse, demonstrating his expertise and versatility. They are a
serious and persistent danger due to their ability to exploit a variety of vulnerabilities and use a
wide collection of tools.

TEKUP Page 10
THREAT ACTOR ANALYSIS : KIMSUKY

F IGURE 1.8 – Observed Malware and Software associated with Kimsuky

— BabyShark Malware :
The BabyShark virus is a significant tool in Kimsuky’s arsenal. This spyware is
designed to collect information from affected computers. As a second-stage payload,
it is frequently transmitted via spearphishing emails.
— Gold Dragon :
*Gold Dragon, a data-gathering tool discovered in December 2017 after a spearphishing
attack in Korea aimed at the same Olympic-related companies. It was discovered
that the technology was utilized in activities intended targeting entities associated
with the 2018 Pyeongchang Winter Olympics.
Gold Dragon, as a second-stage backdoor implant, assured a persistent presence on
the victim’s machine following the execution of a fileless, PowerShell-based first
assault that leveraged steganography.
This virus was capable of basic reconnaissance, data extraction, and downloading
further components from its command and control site.
— SWEETDROP :
SWEETDROP is a malware dropper that Kimsuky is actively using during the
Covid-19 epidemic. It is a C/C++ Windows application that collects basic system
information and is capable of downloading and running extra stages such as Kimsuky’s
backdoor "BITTERSWEET" download and execution.

TEKUP Page 11
THREAT ACTOR ANALYSIS : KIMSUKY

2-Vulnerabilities Exploited by Kimsuky :

Kimsuky’s usage of these techniques and vulnerability exploitation illustrates their versatility
and creativity. They can achieve their goals by employing both bespoke and off-the-shelf tools.

F IGURE 1.9 – Observed CVEs used by Kimsuky

— CVE-2017-0199
Kimsuky used this flaw to distribute the BabyShark virus. This is a Microsoft Word
vulnerability that allows a specially designed file to run code.
— HWP Exploits
In South Korea, Hangul Word Processor (HWP) files are frequently utilized. Kimsuky
has been known to deploy droppers on computers using HWP files containing exploits
for known vulnerabilities.
— CVE-2015-2545
This is a Microsoft Office vulnerability that permits remote code execution via
carefully constructed EPS image files. Kimsuky took use of this flaw to execute
malicious code and install malware on victim systems.
— CVE-2019-0604
Kimsuky used this Microsoft SharePoint vulnerability to execute arbitrary code.
Attackers can launch arbitrary code in the context of the SharePoint application
pool and the SharePoint server farm account by submitting a specially designed
SharePoint application package.

1.2.2.4 The Targets of Kimsuky

Kimsuky primarily espionages South Korean intellectual tanks, industry, nuclear power
operators, and the Ministry of Unification.

TEKUP Page 12
THREAT ACTOR ANALYSIS : KIMSUKY

Targeted Sectors
Kimsuky’s cyber-espionage efforts are extremely focused. They concentrate on select industries
and nations that match with North Korea’s strategic aims. Kimsuky’s most targeted industries
are :

— Government Institutions,
— Think Tanks and Academic Institutions,
— Media Outlets (Publishing Services),
— Critical Infrastructure (Energy & Utilities, Space & Defence, National Security&International
Affairs),
— Cryptocurrency & NFT (Banking, Finance),
— Information Services

Targeted Countries
Kimsuky’s actions are said to be aligned with the Reconnaissance General Bureau (RGB), North
Korea’s foreign intelligence agency, and the group’s major targets are mostly :

— South Korea
— United States
— European Countries

1.2.2.5 Operations of Kimsuky

Kimsuky has been involved in a number of different activities, each with its own set of goals
and objectives. Kimsuky is credited with the following noteworthy operations :

1.2.2.6 South Korean Nuclear Reactor Cyberattack

Dates : December 2014

Kimsuky was involved in cyberattacks against South Korea’s nuclear reactor operator during

TEKUP Page 13
THREAT ACTOR ANALYSIS : KIMSUKY

F IGURE 1.10 – Countries affected by Kimsuky

this operation. The attack showcased Kimsuky’s capabilities and raised worries about critical
infrastructure security.

1.2.2.7 Operation Stolen Pencil

Active since at least May of 2018

The campaign Operation Stolen Pencil targeted academic institutions. Kimsuky lured victims
to websites that looked to be respectable academic groups via spearphishing emails. After then,
the victims were asked to install a malicious Google Chrome extension. This plugin was capable
of collecting browser cookies and passwords.

1.2.2.8 Foreign Ministries and Think Tanks Spearphishing Campaign

Late 2018
Kimsuky ran a spearphishing campaign against many foreign ministries and think groups. The
spearphishing emails contained malicious Microsoft Word documents that downloaded and
executed the BabyShark malware by exploiting a known vulnerability (CVE-2017-0199). The
United Nations Security Council, the United States Department of State, and various think
groups in the United States and Europe were among the targets.

TEKUP Page 14
THREAT ACTOR ANALYSIS : KIMSUKY

F IGURE 1.11 – Campaign Page of Recon Shark, the tool used by Kimsuky

1.2.2.9 Operation AppleSeed

2021
Kimsuky was seen delivering a backdoor known as AppleSeed during this operation. The gang
targeted South Korean government agencies using spearphishing emails. When the emails were
opened, the malicious attachments installed the AppleSeed backdoor on the victim’s PC. This
backdoor enabled Kimsuky to remotely exfiltrate data and execute commands.

1.2.2.10 Operation CloudDragon

2023
Kimsuky has now been linked to a new effort titled Operation CloudDragon. This campaign
employs social engineering, spearphishing, and bespoke malware to target think tanks, news
outlets, and North Korean specialists. Kimsuky utilized forged URLs, impersonated journalists,
and weaponized Office documents to steal credentials and acquire strategic intelligence.

TEKUP Page 15
THREAT ACTOR ANALYSIS : KIMSUKY

1.2.2.11 Emulating Kimsuky’s Espionage Operations

April 2023
AttackIQ has developed four new attack graphs that simulate Kimsuky’s espionage operations.
This politically motivated North Korean foe has been involved in sophisticated espionage activities,
and the attack graphs reveal insights into their strategies and procedures.

1.2.2.12 Social Engineering and Spearphishing Campaigns

June 2023
Kimsuky has been active in social engineering efforts targeting think tanks, academia, and the
news media, according to a joint Cybersecurity Advisory issued by US and Republic of Korea
(ROK) authorities. The alert goes into depth on how Kimsuky actors operate and the warning
indicators of spearphishing attacks. North Korea places a high value on intelligence obtained
from these missions. Kimsuky has been active in impersonation efforts and has targeted governments,
political groups, and other organizations for intelligence gathering.

F IGURE 1.12 – Example of an email that is impersonating a think tank researcher

TEKUP Page 16
THREAT ACTOR ANALYSIS : KIMSUKY

These latest missions demonstrate Kimsuky’s continued information gathering activities as

well as the fluid nature of their techniques.

1.2.2.13 Connections with Other APT Groups

Kimsuky is one of numerous APT organizations thought to be based in North Korea. While
Kimsuky acts autonomously, there are evidence that it is linked to other North Korean APT
organizations.

Lazarus
The Lazarus Group, for example, is well-known for its global cyber espionage and criminal
efforts. The Lazarus Group has been linked to high-profile assaults such as the 2014 Sony
Pictures breach and the 2017 WannaCry ransomware campaign.

While there is no clear proof tying Kimsuky to the Lazarus Group, their techniques and
targets are identical. Furthermore, both organizations are thought to be backed by the North
Korean government, implying that they may exchange resources or knowledge.
APT37 (Reaper)
APT37 or Reaper, another North Korean APT organization, has been active since at least 2012.
APT37, like Kimsuky, has mostly targeted South Korea but has also carried out attacks in Japan,
Vietnam, and the Middle East. In its cyber-espionage efforts, APT37 is notorious for using
zero-day vulnerabilities and malware.

While there is no solid proof of direct coordination between Kimsuky and APT37, the
similarities in their targets and techniques imply that they may be part of a coordinated North
Korean government cyber espionage effort.

In result, while Kimsuky operates autonomously, he is part of a wider ecosystem of North

Korean APT organizations. The common methods, goals, and potential state backing indicate
that these groups are either loosely related or have similar goals.

The keyword "Kim" appears in some of the example strings :

TEKUP Page 17
THREAT ACTOR ANALYSIS : KIMSUKY

— “kimm.r-naver[.]com”,
— “kimsukyang and Kim asdfa” the owner of “iop110112hotmail[.]com and rsh1213hotmail[.]com
domains extracted in one of the first observations.
— And other IoCs contain “tjkim”, “kimyfrenotsure”, “kimshan”, “Kim_Summit”, etc.

These and other IoCs may be found on SOCRadar XTI’s Cyber Threat Intelligence Module’s
Kimsuky Threat Actor page

F IGURE 1.13 – SOCRadar XTI Threat Actor page of Kimsuky

As a result of these IoCs, it is also plausible to establish that Kimsuky is a distinct threat
actor distinct from other North Korean threat actors.

1.2.2.14 Recent Actions Against Kimsuky & New Tactics of Kimsuky

International authorities have lately taken major action against the Kimsuky APT organization.
The US Treasury Department, in collaboration with foreign partners, sanctioned eight North
Korean operatives and the Kimsuky organization. This action is in reaction to North Korea’s
alleged military satellite launch, with the goal of impeding its capacity to earn income and
progress its weapons of mass destruction (WMD) programs. The restrictions are part of a
broader campaign to confront Pyongyang’s unlawful actions, which include cyber espionage

TEKUP Page 18
THREAT ACTOR ANALYSIS : KIMSUKY

and endanger world security. More details regarding the issue may be found in the US Department
of Treasury’s news statement.

Separately, the AhnLab Security Emergency Response Center (ASEC) stated that Kimsuky
is using a malicious JSE file disguised as an import statement to target South Korean research
organizations. This file contains a PowerShell script that has been obfuscated, a Base64-encoded
backdoor file, and a fake PDF. The virus persists on the infected system and steals sensitive data
such as the system’s anti-malware status, network information, and user data. It encrypts the
command execution results and delivers them to the malware’s command and control server,
making it harder to detect. The findings of AhnLab underline the need of exercising caution
when opening email attachments from unfamiliar sources, since Kimsuky frequently employs
them for targeted assaults.

1.3 CONCLUSION

Since its discovery in 2013, Kimsuky, a North Korean cyber-espionage cell, has been a
persistent and expanding danger. Kimsuky has targeted government institutions, think tanks,
academic institutions, and key infrastructure in South Korea, as well as the United States and
Europe, with an emphasis on intelligence collection.

Kimsuky’s methods are clever and diverse, ranging from spearphishing emails and exploiting
software weaknesses to the use of malicious Chrome extensions and proprietary malware.
Because of the group’s capacity to adapt and change its methods, it is very deadly.

Furthermore, Kimsuky is not acting alone. It is part of a wider North Korean APT network
that includes the Lazarus Group and APT37. While these groups operate independently, they
share methods and targets, implying a concerted effort by the North Korean government.

Kimsuky’s worldwide reach and dynamic nature underscore the significance of vigilance
and comprehensive cybersecurity measures. As Kimsuky adapts and evolves, so must the defenses
against him.

TEKUP Page 19
THREAT ACTOR ANALYSIS : KIMSUKY

1.4 How to Defend Against Kimsuky

Because Kimsuky targets organizations across nations and industries, the number of organizations
that should be concerned is bigger than that of most nation-state APTs.

"So what we’ve been preaching everywhere," Barnhart explains, "is that there is strength in
numbers." With all of these groups all across the world, it’s critical that we all communicate
with one another. It is critical that we work together. Nobody should work in a vacuum."

And, he emphasizes, because Kimsuky exploits people as conduits for larger attacks, everyone
must be alert. "It’s important that we all have this baseline of : don’t click on links, and use your
multi-factor authentication."

Even North Korean hackers can be stopped with basic spear phishing precautions. "From
what we’re seeing, it does work if you actually take the time to follow your cyber hygiene,"
Barnhart said.

1.5 Security Recommendations Against Kimsuky

Educate and Train Staff : Train employees on how to identify phishing emails and malware
files on a regular basis. It is critical to educate people about the dangers of spearphishing emails.
Keep Software Updated : Update all software on a regular basis to ensure that known vulnerabilities
are fixed. This decreases the number of ways Kimsuky may acquire unwanted access.
Implement Multi-Factor Authentication (MFA) : MFA should be used wherever practicable,
especially for sensitive systems and data. Even if passwords are hacked, this gives an extra
degree of security.
Monitor for Suspicious Activity : Regularly monitor networks and systems for odd behavior
that might signal a breach.
Use Security Software : Use strong security software capable of detecting and blocking malware
and other dangerous behavior.
Collaborate and Share Information : Collaborate with other organizations and government

TEKUP Page 20
THREAT ACTOR ANALYSIS : KIMSUKY

agencies to exchange information on risks and effective defense methods.

Develop an Incident Response Plan :Have a plan in place for responding to security incidents.
Knowing how to respond in the event of a breach is critical.
Organizations may lessen their chance of falling prey to Kimsuky and other cyberespionage
groups by following these precautions.

In an ever-changing threat scenario, being aware and prepared are critical to remaining
safe. Cyber Threat Intelligence is one of the most effective threats to use against a specific
organization engaged in espionage activities. Obtaining knowledge on current flaws in the firm’s
assets, for example, will allow the company to take early action against potential threats.

F IGURE 1.14 – Company Vulnerabilities page under the Attack Surface Management Module

1.6 Indicators of compromise (IOC)

IOC (chrome rdp attack)MD5

– 80f381a20d466e7a02ea37592a26b0b8 : AppleSeed (AdobeService.dll)
– b6d11017e02e7d569cfe203eda25f3aa : AppleSeed (EastSoftUpdate.dll)
– d2eb306ee0d7dabfe43610e0831bef49 : Info Stealer

TEKUP Page 21
THREAT ACTOR ANALYSIS : KIMSUKY

– d6a38ffdbac241d69674fb142a420740 : RDP Patcher

– 946e1e0d2e0d7785d2e2bcd3634bcd2a : Chrome Remote Desktop Launcher (23.bat)

IOC (AppleSeed) :

F IGURE 1.15 – IOC (AppleSeed))

1.7 MITRE ATTACK TTPs Used by Kimsuky

TEKUP Page 22
THREAT ACTOR ANALYSIS : KIMSUKY

F IGURE 1.16 – MITRE ATTACK TTPs Used by Kimsuky

TEKUP Page 23
 GENERAL CONCLUSION

Kimsuky is a well-known cyber threat group that is thought to be state-sponsored and

affiliated with North Korea. Kimsuky has acquired recognition for its relentless and sophisticated
cyber espionage efforts, particularly targeting South Korean enterprises such as government
agencies, military institutions, think tanks, and university institutions, since the early 2012s.

It can be difficult to attribute cyber actions to individual threat actors, however Kimsuky
is commonly considered to have links to the North Korean government. The goals of the
organization appear to be centered in intelligence collecting, with an emphasis on gaining
information about North Korea, its opponents, and regional geopolitical events.

Kimsuky’s cyber operations include a wide range of tactics, methods, and procedures (TTPs),
such as spear-phishing campaigns, social engineering, and the employment of custom-developed
malware. The organization has showed the capacity to evolve its cyber capabilities by adapting
its TTPs over time.

Kimsuky rose to prominence after participating in "Operation Troy" in 2013, a cyber espionage
effort targeting South Korean military organizations. The gang broadened its target reach to
include entities in the United States, displaying an opportunistic attitude by using global events
like as the COVID-19 epidemic to launch phishing efforts

Understanding Kimsuky’s strategies and aims is critical for cybersecurity experts and companies.
Because of the group’s persistent and dynamic nature, ongoing monitoring, threat intelligence
exchange, and proactive cybersecurity measures are required to reduce possible hazards.

The purpose of this paper is to give a thorough examination of Kimsuky’s historical actions,
milestones, and campaign transitions, providing insights into the group’s history and the shifting
environment of state-sponsored cyber threats.

TEKUP Page 24
 BIBLIOGRAPHIE

[1] https ://socradar.io/apt-profile-kimsuky/

[2] https ://www.cyfirma.com/outofband/n-korean-hacking-group-kimsuky-escalates-attacks/

[3] https ://www.darkreading.com/threat-intelligence/north-korea-kimsuky-apt-keeps-growing

-despite-public-outing

[4] https ://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-

credentials-and-gather-strategic-intelligence/

[5] https ://attack.mitre.org/versions/v7/techniques/enterprise/

[6] https ://www.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_

Korean_APT_Focus_Kimsuky.pdf

[7] https ://en.wikipedia.org/wiki/Kimsuky# :˜ :textK̄imsuky%20(also0known%20as%

20Velvet of%20Unification%20for%20espionage%20purposes.

[8] https ://www.trmlabs.com/post/us-treasury-sanctions-north-korean-cyber-intrusion-group

kimsuky# :˜ :text=Kimsuky%2C%20a%20cyber%20espionage%20group,%2C%20nuclear%2
0policy%2C%20and%20sanctions.

[9] https ://therecord.media/state-sponsored-north-korean-hackers-responsible-for-blitz-of-attacks-in-2021

[10] https ://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

[11] https ://www.darkreading.com/threat-intelligence/north-korea-kimsuky-apt-keeps-growing-

despite-public-outing

[12] https ://www.cyfirma.com/outofband/n-korean-hacking-group-kimsuky-escalates-attacks/

[13] https ://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-

globalcampaign/# :˜ :text=Kimsuky%20is%20a%20North%20Korean,government%20since%20at%20lea

[14] https ://www.tanium.com/blog/north-koreas-kimsuky-cyber-spies-cyber-threat-intelligence-roundup/

TEKUP Page 25
BIBLIOGRAPHIE

[15] https ://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage

[16] https ://www.blackberry.com/us/en/solutions/threat-intelligence/2023/threat-intelligence-report-

jan#threatactors

[17] https ://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-

cyber-espionage-group-part-1.html

[18] https ://download.ahnlab.com/global/brochure/04.%20ATIP_Threat%20Trend%20Report%20on%

%20Group%202021_20220128.pdf

[19] https ://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-

newly-discovered-mobile-malware-280dae5a650f

[20] https ://www.datasecuritybreach.fr/kimsuky-thallium-ta406/

[21] https ://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html

TEKUP Page 26