Full Report
The North Korean state-sponsored hackers known as Kimsuky has reportedly suffered a data breach after two hackers, who describe themselves as the opposite of Kimsuky's values, stole the group's data and leaked it publicly online. [...]
Analysis Summary
# Threat Actor: Kimsuky (and associated entities)
## Attribution & Identity
Attributed to North Korea (DPRK).
Associated with known operations targeting South Korea. The context refers to the actor group by their commonly known designation, Kimsuky.
## Activity Summary
The summary stems from an alleged data breach exposing Kimsuky's operational data. This dump provided new interlinking details between the group's tools and activities, effectively "burning" some of their infrastructure and methods. The leaked data included the complete source code for South Korea's Ministry of Foreign Affairs email platform ("Kebi"), suggesting extensive targeting of sensitive government systems.
## Tactics, Techniques & Procedures
- **Phishing/Social Engineering:** Use of a PHP "Generator" toolkit designed for building phishing sites, featuring detection evasion and redirection capabilities. Live phishing kits were also found.
- **Data Exfiltration/Internal Access:** Evidence of Bash history showing SSH connections to internal systems.
- **Use of Countermeasures:** Use of detection evasion and redirection tricks in phishing infrastructure.
- **Post-Exploitation:** Discovery of Cobalt Strike loaders and reverse shell modules located in VMware drag-and-drop cache files.
- **Supply Chain/Code Theft:** Possession of the complete source code for the South Korean Ministry of Foreign Affairs email platform (Kebi).
## Targeting
- Sectors: Government, Education (curated lists of university professors).
- Geography: Primarily South Korea (implied by targeting MFA and university staff). Also showed visits to Taiwan government and military sites.
- Victims: South Korea's Ministry of Foreign Affairs (MFA) via their "Kebi" email platform. Curated lists of South Korean university professors.
## Tools & Infrastructure
- **Malware/Tools:** Cobalt Strike loaders and reverse shells, PHP "Generator" toolkit (for phishing).
- **Infrastructure Artifacts:** Unknown/custom binaries (`voS9AyMZ.tar.gz`, `Black.x64.tar.gz`, `payload.bin`, `payload_test.bin`, `s.x64.bin`) which were not flagged by VirusTotal. Onnara proxy modules.
- **Observed Infrastructure Use:** Purchases of VPN services (PureVPN, ZoogVPN) via Google Pay. Frequent use of hacking forums (`freebuf.com`, `xaker.ru`). Linked to specific GitHub accounts (`wwh1004.github.io`).
## Implications
The leak, while unlikely to cause long-term operational cessation for Kimsuky, will cause significant operational disruptions ("burning" infrastructure and methods) and temporary difficulties in ongoing campaigns due to the exposure of proprietary tools and connection patterns.
## Mitigations
- Review and secure critical government/MFA email platforms, specifically auditing for compromised source code or backdoors related to the "Kebi" platform logic.
- Investigate presence of custom binaries lacking VirusTotal detections and scrutinize file types like `.tar.gz` executables running on the network.
- Monitor for the use of the Onnara proxy modules.
- Review firewall and access logs for SSH connections indicative of lateral movement indicated by exposed Bash history.
- Harden VPN/C2 traffic analysis given the actor's history of using commercial VPNs (PureVPN, ZoogVPN).