North Korea’s reputation for covert operations has expanded beyond traditional military activities to cyber warfare. The country is now recognised as a global hacking hub, with the US Cybersecurity & Infrastructure Security Agency (CISA) identifying its cyber program as a growing threat to global stability. This includes espionage, financial theft, and disruptions to critical infrastructure.
One of the most alarming threats is the state-sponsored cyber group Kimsuky, known for targeting research institutions and launching ransomware campaigns against the healthcare and public sectors. As North Korea continues to escalate its cyber capabilities, the urgency to strengthen defences has never been greater. Prioritising the patching of known vulnerabilities is critical to building operational resilience.
Infiltration and data theft
Kimsuky, also known as APT43, is a North Korean Advanced Persistent Threat (APT) group tasked with conducting global intelligence operations on behalf of the regime. Active since at least 2012, the group focuses heavily on South Korean think tanks and government agencies but also targets institutions in the US, UK, and across Europe.
The group is notorious for its highly tailored phishing attacks. After establishing trust through initial email exchanges, they follow up with malicious attachments to compromise targets. These activities are closely aligned with the objectives of North Korea’s Reconnaissance General Bureau (RGB), the regime’s top foreign intelligence agency.
Kimsuky has been implicated in efforts to steal sensitive information, including nuclear research, healthcare, and pharmaceutical data. Additionally, it has has dabbled in financially motivated cybercrime, – most likely to fund its espionage efforts.
In June, the group was also found to have compromised Facebook and Microsoft’s MS Console to launch targeted attacks, mainly on human rights activists. Their tactics bypassed common security systems, making the threat difficult to detect.
Tyler Boire shares insights into these challenges and how his team is tackling the threat head-on.
How did Resilience become involved with Kimsuky?
Resilience Threat Intelligence is always monitoring emerging threats and news publications. We were alerted to a report by the Cybersecurity & Infrastructure Security Agency (CISA) that outlined previous Kimsuky operations. We then set up alerts that would match those indicators. With these safeguards in place, we received an alert that they had started to develop new infrastructure.
What could be the consequences for national security if critical research and intellectual property are stolen by groups like Kimsuky?
North Korea is an isolated nation, and allowing the proliferation and growth of its weapons program only allows the nation to accelerate an attack on its closest viewed adversary, South Korea, but eventually US or US allies.
North Korea is also a relatively poor nation that primarily relies on support from other nations to stay afloat. However, it continues to push illicit sales to help fund its country. This primarily comes in the form of weapons sales, drug sales, and theft of crypto-currencies. By allowing North Korea to continue refining its weapons program, it only further allows non-state actors and small nations globally to arm themselves, often leading to regional instability.
Other state-backed actors conducting similar operations against universities can further their own goals. We have seen this through Iranian-backed groups targeting those who speak against the current regime, Chinese-backed groups looking for state secrets and Intellectual property to maintain pace with the United States for a fraction of the cost, and Russian-backed groups who have used information gathered in this way to influence policy in adversarial nations to cause political disruptions.
What kinds of research are most interesting to Kimsuky, and how does this connect to North Korea’s goals?
North Korea is typically interested in trade/embargo information, allyship between South Korea and other countries, advancements in medical sciences, anything that supports their weapons program, and anything that supports their nuclear aspirations.
Can you explain the mistake Kimsuky made that allowed Resilience to gather their information? How important was the data you collected?
We would prefer not to disclose the mistake they made in hopes that they make the same mistake again and we can capitalise on it to further understand and disrupt their operations. The data we gathered gives a unique view into their planned targeting and victims who had fallen prey to their previous campaigns. By being proactive in this way, we were able to disrupt their campaign and proactively get information into the hands of defenders before an attack happened, rather than reactively, as most cybersecurity happens.
What did Resilience learn from the source code, login details, and internal notes you captured? How does this help us understand Kimsuky’s activities better?
By being able to read the source code for their tools directly, Resilience can develop better, more accurate signatures for Kimsuky’s web interface. This helps us identify compromised infrastructure faster and get that information into defenders’ hands. By identifying the phishing lures being used, we can also guide specific things to look for and better focus our guidance on those at higher risk rather than a broad, general notice. This cuts down on the noise that defenders have to filter out every day.
Why is Kimsuky targeting university staff and researchers in South Korea? What does North Korea hope to gain from this?
North Korea is targeting universities and researchers that focus on national security, nuclear weapons non-proliferation, and their international relationships with foreign countries. North Korea is often not involved in these discussions and may be attempting to understand how other countries may attempt to weaken them or affect their national security. They are also likely looking for any research that may help progress their weapons program due to a lack of experts in North Korea.
How convincing are the phishing emails Kimsuky is using? Why are they so hard to detect, even for universities with strong security?
These phishing attacks mimic the login portals almost exactly when viewed through a web browser; you must identify the URL as different to notice that this is not the website you intend to log into. The attackers also configured email settings to pass common security checks. These checks ensure that the computer sending the email is authorized to send emails on the domain’s behalf and that the domain is who it says it is.
However, this does not necessarily mean that the person behind the keyboard is legitimate or who they say they are. When paired with a technique known as “Domain aging,” in which an attacker sets up a domain ahead of time with a benign-looking website and services, phishing emails can bypass some common email security controls.
What specific steps can universities take to protect themselves from these phishing attacks?
While often done very well, these phishing attacks are not novel and still rely on abusing a user’s trust. Users can resist most phishing attacks by leveraging password managers that will not auto-fill on unknown websites and strong 2-factor authentication tools such as authenticator apps and hardware tokens.
Why is Kimsuky focusing on universities, and what does this say about broader trends in cyber espionage? What other sectors might be at risk?
Universities are usually quite open networks in the ideal of freedom of information and often have bleeding-edge research. Universities also partner with private sector organizations and public institutions, which can serve as further data collections opportunities or allow an attacker to abuse the implicit trust of that relationship to pivot into another victim’s network.
How can international cooperation help defend against threats like Kimsuky? What role does Resilience play in this?
The internet has made the world a much smaller place over the last five decades; by focusing solely on national or regional viewpoints, defenders will miss key lessons. International cooperation is essential to the well-being of interconnected networks, and sharing information continues to keep the good guys ahead of the bad guys.
Resilience translates highly technical information to strategic leadership in a way they understand. While this is primarily leveraged in our insurance ventures and defending against financially motivated threat actors, we also strive to extend that ethos to the public sector. We partner with multiple international Law Enforcement and Government agencies to share information bi-directionally and facilitate getting that information into defenders’ hands as efficiently as possible, customer or not.
Kimsuky in Brief
- Specialises in Espionage: Kimsuky, also known as APT43, is a North Korean cyber-espionage group primarily focused on intelligence gathering. Their targets often include government entities, think tanks, and research institutions worldwide, with a particular interest in South Korean and Western organisations.
- Phishing Masters: Kimsuky is known for its highly sophisticated phishing campaigns, where they establish trust with targets through email correspondence before sending malicious attachments. Their phishing techniques are highly tailored, increasing their success rate in breaching high-value targets.
- Global Reach: While Kimsuky focuses heavily on South Korea, they have also launched attacks against the US, the UK, Japan, and other European countries, demonstrating their global scope and ambitions.
- Tied to North Korean Intelligence: Kimsuky operates under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. The group is tasked with stealing sensitive information, including nuclear weapons research and healthcare data, to bolster North Korea’s scientific and technological capabilities.
- Financially Motivated Cybercrime: Beyond espionage, Kimsuky also engages in financially motivated attacks, such as cryptocurrency thefts and ransomware. This side of their operations is believed to fund their espionage activities, making them a dual-threat actor on the global cyber stage.
Interview by Joanna England