The U.S. government sanctioned one of North Korea’s premier cyber espionage units Thursday, a group known to support Pyongyang’s intelligence collection efforts and which also conducts operations to support its nuclear program, according to a statement from the U.S. Treasury Department.
The group — tracked variously as Kimsuky, APT43, Emerald Sleet, Velvet Chollima, TA406 and Black Banshee — has been operating since at least 2012, according to U.S. government estimates, and works under the umbrella of North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence service.
Kimsuky’s operations in recent years have been widely exposed, analyzed and documented by various government and industry researchers. Nevertheless, “APT43 has demonstrated remarkable resilience, continuing to employ sophisticated social engineering tactics to target unsuspecting individuals and organizations,” Michael Barnhart, principal analyst at Mandiant, told CyberScoop in an email.
The group is “a prime example of North Korea’s persistent cyber threat,” Barnhart said, noting that it “operates with the full backing of the North Korean regime, tasked with gathering sensitive information on a wide range of topics, including nuclear technology, sanctions evasion, and unification efforts.”
Kimsuky typically employs spearphishing to target key people in government, research centers, think tanks, academic institutions and news media organizations, according to the Treasury announcement.
Alongside its espionage mandate, the group is also believed to engage in financially motivated cybercrime as a means to fund itself, Mandiant reported in a March 2023 analysis.
“It’s fantastic to see further government action taken against DPRK threat actors,” said Tom Hegel, principal threat researcher with SentinelLabs. “I suspect these actions will play a major role in impacting their success rate and impose some cost on their methods of operating. A welcomed play against such a significant cyber threat.”
Hegel pointed to an August 2020 Kimsuky effort, which targeted nearly a dozen United Nations officials, as emblematic of the group’s work. That operation was one in a string targeting various U.N. officials, ZDNet reported at the time.
In June, a joint advisory from the NSA, FBI, State Department and their counterparts in South Korea warned of Kimsuky efforts to target think tanks, academia and media outlets in the U.S. and South Korea, including by posing as or spoofing real journalists and broadcast writers.
SentinelLabs senior threat researcher Aleksandar Milenkoski analyzed part of the campaign flagged by the international advisory, which relied on spoofed domains, documents and other activities related to NK News, a South Korea-based news and analysis organization focused on North Korean matters.
Hegel, meanwhile, said that Kimsuky’s operations “against media outlets have always showed us their pace of operation and creativity.”