Kimsuky

Last updated

Kimsuky (also known as Velvet Chollima, Black Banshee, THALLIUM, or Emerald Sleet [1] ) is a North Korean state-backed hacker group and advanced persistent threat that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. In recent years Kimsuky has expanded its operations to target states such as Russia, the United States, and European nations. [2]

Contents

History

According to the U.S. Cybersecurity and Infrastructure Security Agency Kimsuky has likely been active since 2012. [3]

In March 2015 it was reported that South Korea claimed Kimsuky stole data from Korea Hydro & Nuclear Power. [4]

In August 2019 it was reported that Kimsuky was targeting retired South Korean diplomats, government, and military officials, in an attack called "the first of its kind." [5]

In September 2020 it was reported that Kimsuky attempted to hack 11 officials of the United Nations Security Council. [4]

A lawmaker from the People Power Party reported that, in May 2021, Kimsuky was detected within the internal networks of the Korea Atomic Energy Research Institute. [6]

See also

Related Research Articles

SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries. The company was publicly traded from May 2009 until the end of 2015, and again from October 2018. It has also acquired a number of other companies, some of which it still operates under their original names, including Pingdom, Papertrail, and Loggly. It had about 300,000 customers as of December 2020, including nearly all Fortune 500 companies and numerous agencies of the US federal government.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

Helix Kitten is a hacker group identified by CrowdStrike as Iranian.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Ricochet Chollima is a North Korean state backed hacker group that is believed to have been created sometime before 2016 and is typically involved in operations against financial institutions to generate assets for North Korea, but also conducts attacks on the industrial sector in other countries. CrowdStrike has stated that the group mainly attacks a variety of South Korean organizations and individuals, including academics, journalists, and North Korean defectors. But also stated the group has also engaged in attacks against Japan, Vietnam, Hong Kong, the Middle East, Russia, and the United States. FireEye has called the group "the overlooked North Korean threat actor."

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

<span class="mw-page-title-main">Hainan State Security Department</span>

The Hainan State Security Department is a provincial department of the Chinese Ministry of State Security responsible for national security and secret policing in the contiguous island province of Hainan, headquartered in Haikou. Members of the Hainan SSD have badge numbers with prefixes beginning with "46xxxx". The HSSD operates advanced persistent threat (APT) number 40.

References

  1. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  2. Nocturnus, Cybereason. "Back to the Future: Inside the Kimsuky KGH Spyware Suite". www.cybereason.com. Retrieved 2021-03-15.
  3. "North Korean Advanced Persistent Threat Focus: Kimsuky | CISA". us-cert.cisa.gov. Retrieved 2021-03-15.
  4. 1 2 Cimpanu, Catalin. "North Korea has tried to hack 11 officials of the UN Security Council". ZDNet. Retrieved 2021-03-15.
  5. Cimpanu, Catalin. "North Korean state hackers target retired diplomats and military officials". ZDNet. Retrieved 2021-03-15.
  6. Onchi, Yosuke (June 18, 2021). "North Korean hack targets South's nuclear power research". Nikkei Asian Review . Archived from the original on June 18, 2021.