To catch a Banshee: How Kimsuky’s tradecraft betrays its complementary campaigns and mission
Contents
To catch a Banshee:
How Kimsuky’s tradecraft betrays its complementary campaigns and mission
Sveva Vittoria Scenarelli
September 2020
To catch a Banshee
PwC UK
September 2020
1
Presenter + team
@cyberoverdrive
To catch a Banshee
PwC UK
Senior Threat Intelligence Analyst...
@PwC UK
… but really, it takes a team.
Sveva Vittoria Scenarelli
John Southworth
@BitsOfBinary
●
Focus on APAC-based APTs
●
“Malware intertextuality” &
codebase evolution analysis
●
CONFidence Online 2020,
CyberThreat 2019
Jason Smart
@pewpew_lazors
September 2020
2
Olympics PowerShell + GoldDragon
Disclosure of a campaign targeting
entities involved with the PyeongChang
Olympics with a PowerShell implant and
GoldDragon RAT.
Kimsuky: a timeline
BabyShark begins
A multi-stage, script-based
downloader is used to target
policy, national security, and
cryptocurrency entities in the
US, South Korea, Europe
KHNP Breach
KHNP employees hacked,
Kimsuky poses as “Who
am I = No Nuclear Power”
hacktivist persona and
threatens sabotage attacks
2013
09
2014
11
2015
The Kimsuky Operation
Disclosure of an espionage
campaign targeting South
Korean defence think tanks
and Korea unification policy
organisations
To catch a Banshee
PwC UK
2016
Malicious HWP Spear
phishing
Universities and public
sector entities receive
malicious documents
created by author “MOFA”
and leading to installation
of Kimsuky implants
01
12
2017
Government & research
credential phishing
South Korean authorities
attributed to Kimsuky a
spear phishing campaign
impersonating the
Cheongwadae
12
Operation Red Salt
Disclosure of an …
How Kimsuky’s tradecraft betrays its complementary campaigns and mission
Sveva Vittoria Scenarelli
September 2020
To catch a Banshee
PwC UK
September 2020
1
Presenter + team
@cyberoverdrive
To catch a Banshee
PwC UK
Senior Threat Intelligence Analyst...
@PwC UK
… but really, it takes a team.
Sveva Vittoria Scenarelli
John Southworth
@BitsOfBinary
●
Focus on APAC-based APTs
●
“Malware intertextuality” &
codebase evolution analysis
●
CONFidence Online 2020,
CyberThreat 2019
Jason Smart
@pewpew_lazors
September 2020
2
Olympics PowerShell + GoldDragon
Disclosure of a campaign targeting
entities involved with the PyeongChang
Olympics with a PowerShell implant and
GoldDragon RAT.
Kimsuky: a timeline
BabyShark begins
A multi-stage, script-based
downloader is used to target
policy, national security, and
cryptocurrency entities in the
US, South Korea, Europe
KHNP Breach
KHNP employees hacked,
Kimsuky poses as “Who
am I = No Nuclear Power”
hacktivist persona and
threatens sabotage attacks
2013
09
2014
11
2015
The Kimsuky Operation
Disclosure of an espionage
campaign targeting South
Korean defence think tanks
and Korea unification policy
organisations
To catch a Banshee
PwC UK
2016
Malicious HWP Spear
phishing
Universities and public
sector entities receive
malicious documents
created by author “MOFA”
and leading to installation
of Kimsuky implants
01
12
2017
Government & research
credential phishing
South Korean authorities
attributed to Kimsuky a
spear phishing campaign
impersonating the
Cheongwadae
12
Operation Red Salt
Disclosure of an …