Seoul sanctions North Korean hacking group Kimsuky

South Korea sanctioned North Korean hacking group “Kimsuky” believed to be behind major cyber attacks and stealing satellite technology worldwide...

An example of an email sent out by North Korean agents working on Kimsuky spearphishing campaigns, impersonating a journalist requesting an interview or information, shared by the U.S. and South Korean governments in their joint cybersecurity advisory issued Thursday. [SCREEN CAPTURE]

South Korea sanctioned North Korean hacking group “Kimsuky” believed to be behind major cyber attacks and stealing satellite technology worldwide.

“It has collected intelligence from individuals and institutions in the fields of diplomacy, security and national defense, and has provided it to the North Korean regime,” said the Foreign Ministry in a statement Friday. “In addition, North Korean hacking organizations including ‘Kimsuky’ have been directly or indirectly involved in the development of North Korea’s so-called ‘satellite’ by stealing advanced technologies globally related to weapons development, artificial satellites and space.”

The Korean government also issued a joint cybersecurity advisory with the U.S. State Department, Federal Bureau of Investigation and National Security Agency on North Korean hacking campaigns.

“These North Korean cyber actors are known to conduct spear phishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles,” reads the advisory issued Thursday.

“The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets,” it added, referring to North Korea by the acronym of its official name, the Democratic People’s Republic of Korea.

Kimsuky is a set of North Korean cyber actors administratively subordinate to an element within North Korea’s Reconnaissance General Bureau (RGB), according to the joint U.S.-South Korean advisory.

The group has “conducted broad cyber campaigns in support of RGB objectives since at least 2012," it said.

“Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime,” it added.

The North Korean hackers operating a Kimsuky spear phishing campaign would often impersonate a journalist, an academic scholar, or a think tank researcher, to send out an email requesting an interview or participation in a survey.

“A Kimsuky actor will use multiple personas to engage a target; one persona to conduct initial outreach and a second persona to follow-up on the first engagement to distract a potential victim from discerning the identity of the original persona,” reads the joint cybersecurity advisory.

“Once DPRK cyber actors establish engagement with a target, the actors attempt to compromise the account, device, or network belonging to the target by pushing malicious content in the form of a malicious macro embedded within a text document,” it said. “This document is either attached directly to the email, or stored in a file hosting service, such as Google Drive or Microsoft OneDrive. These malicious macros, when enabled, quietly establish connections with Kimsuky command and control infrastructure, and result in the provision of access to the target’s device.”

Kimsuky was behind several large-scale cyberattacks in South Korea in recent years.

From May to June 2021, the personal information of some 830,000 people at the Seoul National University Hospital was stolen by a group of North Korean agents believed to be operating within Kimsuky, according to the police.

The group was also blamed for the 2014 cyberattack on South Korea’s state-backed Korea Hydro & Nuclear Power, a subsidiary of the Korea Electric Power Corporation.

The South Korean government became the first in the world to sanction Kimsuky on Friday, said the Foreign Ministry. The ministry also shared the digital currency address of the group.

As of Friday, the South Korean government has sanctioned 43 individuals and 45 organizations tied with the North’s illicit cyber activities funding its weapons programs.

Prior permission from the Bank of Korea or the Financial Services Commission is required to engage in foreign exchange or financial transactions with the targets of these sanctions, said the ministry.

Any transactions without permission may be punished under relevant laws, it said.

BY ESTHER CHUNG [chung.juhee@joongang.co.kr]