lazarusholic

Everyday is lazarus.dayβ

Kimsuky

the King of the Spear-Phishing

2013-09-11, Kaspersky
The “Kimsuky” Operation: A North Korean APT?
"Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions."

- MITRE, https://attack.mitre.org/groups/G0094/
"Kimsuky(also known as Velvet Chollima and Black Banshee) is a North Korean advanced persistent threat group that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. In recent years Kimsuky has expanded their operations to include states such as Russia, the United States, and European nations."

- Wikipedia, https://en.wikipedia.org/wiki/Kimsuky
"Who’s Kim? It’s interesting that the drop box mail accounts [email protected] and [email protected] are registered with the following “kim” names: kimsukyang(김석양 or 김숙향) and “Kim asdfa”."

- Kaspersky, https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
"This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes."

- malpedia, https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky
"(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored."

- ETDA, https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5e3544bf-98ad-4e9f-b65e-85f05c36486f
"Kimsuky是一个来自朝鲜的威胁组织,至少自2013年9月以来一直活跃。主要攻击范围为韩国,涉及行业包括国防、教育、能源、政府、医疗以及智囊团等领域,并以机密信息窃取为主要目的。该组织被认为与2014年韩国水电与核电公司(KHNP)受到的攻击有关。通常使用社会工程学、鱼叉邮件、水坑攻击等手段投递恶意软件,拥有功能完善的恶意代码武器库。"

- RedQueen, https://redqueen.tj-un.com/threatOrganizationDetails.html?id=2c91828270577791017065a236c30000
"Kimsuky Threat Actor Intelligence Profile"

- Cybergeist, https://cybergeist.io/profile/kimsuky

Also known as

 
Name Named by AKA First seen Last seen
APT-C-55 Qihoo360 Kimsuky 2021-11-19 2025-02-11
APT-Q-2 Qianxin Kimsuky 2022-03-23 2024-06-20
APT43 Mandiant Kimsuky 2023-03-28 2025-01-29
ARCHIPELAGO Google APT43 2023-04-05 2023-04-05
BlackBanshee PWC Kimsuky 2020-02-18 2022-04-29
Cerium Microsoft Kimsuky 2021-10-07 2022-11-07
CloudDragon TeamT5 Kimsuky 2021-05-07 2023-05-12
DarkPeony NTTSecurity Kimsuky 2024-06-05 2024-06-13
DarkPlum NTTSecurity Kimsuky 2024-10-03 2024-11-19
EmeraldSleet Microsoft Thallium 2023-04-19 2024-02-14
G0094 MITRE Kimsuky 2019-08-26 2019-08-26
ITG16 IBM Kimsuky - -
KTA082 Kroll Kimsuky 2024-03-05 2024-03-05
KimDragon TeamT5 Kimsuky 2021-05-07 2021-05-07
Kimsuky Kaspersky - 2013-09-11 2025-02-11
NNPTGroup SelfGiven Kimsuky 2014-12-15 2015-04-02
NickelKimball SecureWorks Kimsuky - 2024-10-08
Phisherman KRCERT Kimsuky 2020-02-29 -
RGB-D5 IssuemakersLab Kimsuky 2020-04-08 2020-12-24
RedKim KRCERT Kimsuky - -
RubySleet Microsoft Cerium 2023-04-19 2024-11-22
SectorA05 NSHC Kimsuky 2019-01-10 2025-02-06
SeedpuNK S2W Kimsuky 2024-10-02 2024-10-02
SharpTongue Volexity Kimsuky 2022-07-28 2023-10-05
SparklingPisces PaloaltoNetworks Kimsuky 2024-09-09 2024-09-26
Springtail Symantec Kimsuky 2024-03-20 2024-05-16
TA408 Proofpoint Kimsuky 2021-11-19 2021-11-19
TA427 Proofpoint Kimsuky 2021-11-19 2024-04-20
TAG-46 RecordedFuture Kimsuky 2024-01-10 2024-01-10
TAG-66 RecordedFuture Kimsuky 2024-01-10 2024-01-10
Thallium Microsoft Kimsuky 2019-12-30 2022-02-16
UAT-5394 CiscoTalos Kimsuky 2024-08-21 2024-09-02
UNC1130 Mandiant Kimsuky 2021-08-18 2022-08-18
UNC1873 Mandiant APT43 2023-03-28 2023-03-28
UNC3782 Mandiant APT43 2023-04-20 2023-04-20
UNC4469 Mandiant APT43 2023-04-20 2023-04-20
VelvetChollima CrowdStrike Kimsuky 2019-02-19 2024-12-13
WhoamI SelfGiven NNPTGroup 2014-12-15 2015-04-02

Reports