Seoul sanctions North Korea’s hacking group, details its activities


South Korea has announced new sanctions against Kimsuky, a North Korean hacking syndicate. Together with Washington, Seoul also issued a joint cyber alert warning of the group’s social engineering efforts.

“For the first time in the world, the South Korean government designated ‘Kimsuky’ as the subject of independent sanctions against North Korea,” Seoul’s foreign ministry said in a press release.

The sanctions are intended to curb the group’s activities targeting South Korea, the ministry said. It also listed two crypto wallet addresses used by Kimsuky which are now off limits under local law.

ADVERTISEMENT

The release states that South Korea is directly responding to the North’s unsuccessful attempt to put a military reconnaissance satellite into orbit on Wednesday.

According to the ministry, hacker groups from North Korea including Kimsuky have been “directly or indirectly involved in the development of North Korea’s so-called satellite by stealing cutting-edge technologies related to weapons development and artificial satellites and space all over the world.”

Kimsuky specifically is stealing sensitive information by conducting large-scale social engineering campaigns, an accompanying joint advisory by the US Department of State, the Federal Bureau of Investigation, the National Security Agency, and the South Korean foreign ministry, the National Police Agency, and the National Intelligence Service said.

The hacking collective’s spear-phishing campaigns that convincingly impersonate real people target professionals at think tanks, academic institutions, and news outlets devoted to the situation on the Korean peninsula.

Kimsuky is good at social engineering, the advisory acknowledges. “For over a decade, Kimsuky actors have continued to refine their social engineering techniques and made their spear-phishing efforts increasingly difficult to discern,” it says.

These cyber actors allegedly begin their campaigns with broad research and preparation, and often use open-source information to identify potential targets of value. They then tailor their online personas to appear more realistic and convince victims more thouroughly.

Kimsuky actors are also well-acquainted with their target’s interests and update the content of their introductory emails to reflect current events discussed among the community of North Korea watchers, the advisory said.

sample-korea
Sample email communication from Kimsuky. Image by Cybernews.
ADVERTISEMENT

The emails usually come with attached malicious documents or links, called the “lure files” in the advisory. They are presented as reports or news articles but in fact contain malware — if the recipients open them, Kimsuky can establish control over the compromised system and maintain access to it.

Potential targets are advised to look out for red flags like awkward sentences and grammatical errors, the use of North Korean phrases, or slight differences between real and fake email domains.

In addition, experts recommend possible mitigation steps such as setting up strong passwords, multi factor authentication, or using antivirus software. In general, it’s smart to exercise caution in confirming any requests.

In March, German and South Korean government authorities warned about cyber attacks mounted by Kimsuky that entail the use of rogue browser extensions to steal users' Gmail inboxes.

In 2022, data from cybersecurity firm Zscaler showed that a threat actor, thought to be the North Korean group Lazarus, had been targeting Seoul in a sophisticated spear-phishing campaign.