Unmasking Kimsuky: Insights from NTT Security Holdings on the cyber espionage group linked to North Korea
Published:
NTT Security’s Holdings recent research shines light on one of the most persistent cyber espionage groups linked to North Korea: Kimsuky.
The Kimsuky threat
Kimsuky, or DarkPlum as the group is referred to by NTT Security Holdings cyber security analysts, is known for targeting government agencies, military organizations, academic institutions, and think tanks. The group has expanded its scope to multiple regions, including South Korea, Japan, Europe, and the United States. Kimsuky’s espionage operations have been particularly notable for its strategic combination of advanced technical skills with sophisticated social engineering techniques.
Beyond espionage, Kimsuky is also involved in cryptocurrency theft, likely to fund its activities. This two-sided approach is both a testament to the group’s technical ability and underscores the threat it poses to global financial security.
Mapping Kimsuky’s infrastructure
Our NTT Security Holdings cyber security analysts Amata Anantaprayoon in Sweden and Rintaro Koike in Japan have been closely tracking Kimsuky’s activities and recently uncovered new insights into the group’s infrastructure. Through Open Source Intelligence (OSINT) platforms, malware Indicators of Compromise (IoCs), and data from large-scale networks, they have mapped the infrastructure Kimsuky uses to conduct its cyber operations.
OSINT and malware IoCs: A deeper look
Amata’s and Rintaro’s research began with OSINT discovery, focusing on identifying Kimsuky’s infrastructure through a combination of different data points, including JARM fingerprinting, IP geolocation, and analysis of service responses. This allowed them to track Kimsuky’s targets, such as South Korean platforms Naver, Kakao, and Daum, as well as several South Korean academic institutions, including Yonsei University and Korea University. For example, they observed that Kimsuky targeted professors, luring them to download documents related to specific events at Asan Institute for Policy Studies. This indicates that the group exploits real-life events to deceive their targets.
They observed multiple Remote Access Trojans (RATs) that were used by Kimsuky to access and control the victim’s endpoint, including Xenorat, QuasarRat, and AsyncRat. Kimsuky was also found to use KGH spy, an in-house developed spyware to conduct cyber espionage.
Uncovering the operational bases
Through correlation searches with large-scale network data, Amata and Rintaro identified Kimsuky’s operational bases. The IP geolocation data pinpointed Kimsuky’s operations to regions in Dandong and Baishan in China, close to the border of North Korea. These locations are used to control and manage their infrastructure securely, often utilizing Remote Desktop Protocol (RDP) and SSH connections.
The research also highlighted Kimsuky’s operational security (OPSEC) measures, such as the use of VPN services and intermediate servers to disguise their true location. This allows them to continue their operations without raising suspicion. Furthermore, Kimsuky is operational almost all the time, activity has been recorded for 17 hours a day, 7 days a week.
Merging insights to get the full picture
By combining insights from their research with findings from five other security companies, Amata and Rintaro gained an even deeper understanding of the scale and sophistication of Kimsuky’s operations. One interesting discovery is their use of malicious Chrome extensions that target cryptocurrency traders, as part of their cryptocurrency operation, and South Korean academics, exfiltrating sensitive information and facilitating espionage activities.
They found that the scope of this operation is massive, with over 100 hosts tracked by Amata and Rintaro. Moreover, threat research from multiple security companies overlapped and validated their research, highlighting the vast scope of Kimsuky’s cyber operations.
The need for vigilance
Kimsuky continues to adapt and expand its cyber espionage activities, which makes the threat landscape ever more complex. Amata’s and Rintaro’s future research will focus on creating clusters from discovered connections, identifying new TTPs (tactics, techniques, and procedures), and validating the hypotheses about the group’s evolving infrastructure.
The insights they have gathered highlight not only the significant threat posed by Kimsuky, but also the importance of proactive and collaborative cyber defense measures. At NTT Security Holdings, we remain committed to uncovering these threats and providing actionable intelligence to safeguard organizations worldwide.
By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.