Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Contents
18 February, 2020
For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.
The foundations for this activity began in August 2018, when we observed Black Banshee setting up a substantial number of domains impersonating organisations across the government, academia, and policy sectors. This formed the basis for multiple spear-phishing and credential harvesting campaigns.
In tracking Black Banshee, we have identified a number of highly characteristic elements of the threat actor’s tools, techniques, and procedures (TTPs). In the two parts of this retrospective look at Black Banshee’s 2019 activity, we will:
Firstly, let us dive into Black Banshee’s mannerisms in setting up its infrastructure. Across 2019, it was possible to tie together different Black Banshee campaigns through the IP addresses used. For example, on …
For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.
The foundations for this activity began in August 2018, when we observed Black Banshee setting up a substantial number of domains impersonating organisations across the government, academia, and policy sectors. This formed the basis for multiple spear-phishing and credential harvesting campaigns.
In tracking Black Banshee, we have identified a number of highly characteristic elements of the threat actor’s tools, techniques, and procedures (TTPs). In the two parts of this retrospective look at Black Banshee’s 2019 activity, we will:
Firstly, let us dive into Black Banshee’s mannerisms in setting up its infrastructure. Across 2019, it was possible to tie together different Black Banshee campaigns through the IP addresses used. For example, on …