DOD, FBI, DHS warn of active North Korean government-linked hacking operation

The FBI and departments of Defense and Homeland Security issued a joint alert Tuesday warning the private sector about what they say is a global hacking operation run by North Korean government-linked hackers.

The hacking group, known as Kimsuky, tends to run intelligence-gathering intrusions against targets in South Korea, Japan and the U.S., according to the alert by the FBI, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Command, DOD’s offensive hacking arm.

Kimsuky commonly runs cyber-espionage campaign against South Korean think tanks, as well as targets related to sanctions, nuclear topics, and other issues affecting the Korean Peninsula, according to the U.S. government. To obtain initial access to victims, the hackers typically use spearphishing emails and watering holes to trick victims to give up information, the U.S. government alert says.

Kimsuky’s operations, which have been active since at least 2012, are “most likely tasked by the North Korean regime,” according to the report. Researchers have previously linked Kimsuky, also sometimes referred to as the Velvet Chollima group, with North Korea and state-linked motives.

Cyber Command said it is releasing the report, which outlines Kimsuky’s commonly used tactics, techniques and procedures, in an effort to prompt the private sector to protect its networks against what the government says is an active North Korean hacking operation.

The joint alert comes in a long string of reports the U.S. government has released publicly on North Korean government hacking in an effort to throw North Korean hackers off course and neutralize their operations’ effectiveness. As the thinking goes, when the private sector protects against these hacking operations, the attackers may get distracted from their operations as they retool, officials say.

Although the alert came in close proximity to the 2020 presidential elections in the U.S., the ongoing campaign from the North Korean hackers is not believed to be linked to them, a Cyber Command spokesperson said.

Kurt Baumgartner, a principal security researcher at Kaspersky, which has been tracking Kimsuky since 2013, says the group has remained “highly active,” but that it may not be the most capable one on the world stage. When compared with a group such as Muddywater, a threat group researchers have linked with Iran and which Baumgartner says “has made large advances in technical capabilities over the past several years,” Kimsuky “has not advanced by leaps and bounds. However, they deliver capabilities that are adequate.”

Over the last year, the Department of Defense’s public releases on North Korean hacking have centered on North Korean financially-motivated hackers, although in recent months the U.S. government has turned its attention to trying to trip up North Korean hackers focused on defense, military, and energy targets.

Although Kimsuky has historically focused on think tanks and targets related to sanctions and nuclear topics, like many other North Korean government-linked hackers, the group, has recently been interested in targeting cryptocurrency users and exchanges to run “currency-generation operations,” according to CrowdStrike’s 2020 Global Threat Report.

Kimsuky is also believed to have been behind the 2014 targeting of a Korean nuclear power plant operator Korea Hydro & Nuclear Power Co., according to South Korean officials and researchers from the Financial Security Institute. Although South Korea’s nuclear plant operations weren’t compromised, the operation — aimed at stealing plant blueprints and gaining remote control of computers — could suggest potentially more destructive motives in the energy sector.

In recent months Kimsuky has garnered attention in the research community for taking advantage of the pandemic and sending spearphishing emails with coronavirus-themed lures, according to Malwarebytes research. The spearphishing emails contain malicious documents that could allow the attackers to collect information about victim machines, including information on victim cameras, audio, Bluetooth and files.