ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Kimsuky, Velvet Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Kimsuky, Velvet Chollima

NamesKimsuky (Kaspersky)
Velvet Chollima (CrowdStrike)
Thallium (Microsoft)
Black Banshee (PWC)
SharpTongue (Volexity)
ITG16 (IBM)
TA406 (Proofpoint)
APT 43 (Mandiant)
ARCHIPELAGO (Google)
Emerald Sleet (Microsoft)
KTA082 (Kroll)
CountryNorth Korea North Korea
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.
ObservedSectors: Defense, Education, Energy, Government, Healthcare, Manufacturing, Think Tanks and Ministry of Unification, Sejong Institute and Korea Institute for Defense Analyses.
Countries: Japan, South Korea, Thailand, USA and Europe.
Tools usedAppleSeed, BabyShark, BITTERSWEET, CSPY Downloader, FlowerPower, Gh0st RAT, Gold Dragon, Grease, KGH_SPY, KimJongRAT, Kimsuky, KPortScan, MailPassView, Mechanical, Mimikatz, MyDogs, Network Password Recovery, ProcDump, PsExec, ReconShark, Remote Desktop PassView, SHARPEXT, SniffPass, SWEETDROP, TODDLERSHARK, Troll Stealer, VENOMBITE, WebBrowserPassView, xRAT, Living off the Land.
Operations performed2013For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks.
<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>
2014The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter.
<https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/>
Mar 2018Operation “Baby Coin”
<https://blog.alyac.co.kr/m/1963>
May 2018Operation “Stolen Pencil”
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018.
<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>
Oct 2018Operation “Mystery Baby”
<https://blog.alyac.co.kr/m/1963>
Nov 2018The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues.
<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>
<https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/>
Jan 2019Operation “Kabar Cobra”
On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps.
<https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf>
Apr 2019Operation “Stealth Power”
<https://blog.alyac.co.kr/2234>
Apr 2019Operation “Smoke Screen”
<https://blog.alyac.co.kr/attachment/[email protected]>
Jul 2019Operation “Red Salt”
<https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf>
Jul 2019In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials.
Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry.
<https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/>
Feb 2020We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.
<https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>
Feb 2020North Korea has tried to hack 11 officials of the UN Security Council
<https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/>
Mar 2020According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic.
The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky.
<https://twitter.com/issuemakerslab/status/1233010155018604545>
Dec 2020We discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application.
<https://securelist.com/apt-trends-report-q1-2021/101967/>
Dec 2020Kimsuky APT continues to target South Korean government using AppleSeed backdoor
<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>
2021Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
<https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf>
May 2021South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology.
<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>
May 2021North Korean hackers breached major hospital in Seoul to steal data
<https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/>
Jun 2021North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
<https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html>
Sep 2021SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
<https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/>
Jan 2022On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.
<https://asec.ahnlab.com/en/31089/>
Early 2022Kimsuky’s GoldDragon cluster and its C2 operations
<https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/>
Apr 2022Operation “Covert Stalker”
<https://asec.ahnlab.com/en/58654/>
Oct 2022Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware
<https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f>
2023Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
<https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/>
Feb 2023Malware Disguised as Normal Documents
<https://asec.ahnlab.com/en/47585/>
Mar 2023CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
<https://asec.ahnlab.com/en/49295/>
Mar 2023North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign
<https://therecord.media/north-korea-apt-kimsuky-attacks>
Mar 2023OneNote Malware Disguised as Compensation Form (Kimsuky)
<https://asec.ahnlab.com/en/50303/>
May 2023Kimsuky Distributing CHM Malware Under Various Subjects
<https://asec.ahnlab.com/en/54678/>
May 2023Kimsuky Group Using Meterpreter to Attack Web Servers
<https://asec.ahnlab.com/en/53046/>
May 2023Kimsuky Group’s Phishing Attacks Targetting North Korea-Related Personnel
<https://asec.ahnlab.com/en/52970/>
May 2023Ongoing Campaign Using Tailored Reconnaissance Toolkit
<https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/>
May 2023North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media
<https://media.defense.gov/2023/Jun/01/2003234055/-1/-1/0/JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF>
<https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/>
Jun 2023Malware Disguised as HWP Document File (Kimsuky)
<https://asec.ahnlab.com/en/54736/>
Jul 2023Kimsuky Threat Group Using Chrome Remote Desktop
<https://asec.ahnlab.com/en/55145/>
Jul 2023Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)
<https://asec.ahnlab.com/en/55219/>
Aug 2023North Korean hackers target U.S.-South Korea military drills, police say
<https://www.reuters.com/world/north-korean-hackers-target-us-south-korea-military-drills-police-say-2023-08-20/>
Oct 2023Kimsuky Threat Group Uses RDP to Control Infected Systems
<https://asec.ahnlab.com/en/57873/>
Nov 2023Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
<https://asec.ahnlab.com/en/59387/>
Dec 2023Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
<https://asec.ahnlab.com/en/59590/>
Jan 2024Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer
<https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2>
Jan 2024TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)
<https://asec.ahnlab.com/en/61934/>
Mar 2024TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
<https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark>
Counter operationsDec 2019Microsoft takes court action against fourth nation-state cybercrime group
<https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/>
Nov 2023Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group
<https://home.treasury.gov/news/press-releases/jy1938>
Information<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>
<https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/>
<https://us-cert.cisa.gov/ncas/alerts/aa20-301a>
<https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite>
<https://www.darkreading.com/operations/how-north-korean-apt-kimsuky-is-evolving-its-tactics/d/d-id/1340956>
<https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf>
<https://asec.ahnlab.com/en/30532/>
<https://asec.ahnlab.com/en/60054/>
<https://asec.ahnlab.com/wp-content/uploads/2023/03/2022-Threat-Trend-Report-on-Kimsuky.pdf>
<https://asec.ahnlab.com/wp-content/uploads/2023/03/Unique-characteristics-of-Kimsuky-groups-spear-phishing-emails.pdf>
<https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report>
<https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/>
<https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0094/>
<https://attack.mitre.org/groups/G0086/>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]