The North Korean threat group known as Kimsuky, or APT43, has attracted significant attention worldwide, yet shows no signs of slowing down its operations. Aligned with the government, Kimsuky’s primary objective is espionage, particularly in the fields of policy and nuclear weapons research, targeting various sectors such as government, energy, pharmaceutical, and financial, mostly in countries deemed arch-enemies by North Korea, including South Korea, Japan, and the United States.
While CISA has traced the group’s activity back to 2012, interest in Kimsuky surged last month due to a report by Mandiant and a Chrome extension-based campaign that resulted in a joint warning from German and Korean authorities. In a blog published on April 20, VirusTotal revealed a spike in malware lookups associated with Kimsuky. Despite the increased scrutiny, Kimsuky appears unphased, unlike other APTs that tend to go underground when exposed. Michael Barnhart, principal analyst at Mandiant, notes that Kimsuky has shown no signs of slowing down.
What’s Going on with Kimsuky?
Kimsuky, the government-aligned threat actor, has undergone several iterations and splits, including a division into two subgroups. Spear phishing, in which members impersonate targeted organizations in phishing emails for weeks at a time, is their area of expertise. However, their malware is less predictable and has included malicious browser extensions, remote access Trojans, modular spyware, and more, some of which is commercial and some not. VirusTotal’s recent blog post highlighted Kimsuky’s tendency to deliver malware via .docx macros, and in some cases, the group used CVE-2017-0199, a 7.8 high severity-rated arbitrary code execution vulnerability in Windows and Microsoft Office.
VirusTotal also revealed that most of the uploaded malware samples are from South Korea and the United States, which is in line with the group’s history and motives. Nevertheless, Kimsuky’s influence extends to countries such as Italy and Israel, which are not typically associated with North Korean politics. The second most sample lookups came from Turkey, which suggests that Turkey could be a victim or a conduit for North Korean cyber attacks.
How to Defend Against Kimsuky
The scope of Kimsuky’s targets, spanning across various countries and sectors, means that a larger range of organizations need to be vigilant against their attacks compared to most nation-state APTs. “What we’ve been advocating everywhere,” says Barnhart, “is strength in numbers. With all these organizations around the world, it’s crucial that we communicate with each other and collaborate. No one should be working in isolation.”
Furthermore, since Kimsuky uses individuals as conduits for more significant attacks, everyone must remain vigilant. “It’s crucial that we all adopt basic practices such as avoiding clicking on links and using multi-factor authentication.” With simple safeguards against spear phishing, even North Korean hackers can be thwarted. “From what we’re observing, it does work if you take the time to follow your cyber hygiene,” notes Barnhart.
Go to Source
Author: Nate Nelson, Contributing Writer, Dark Reading
