Full Report
The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said. "Then, from mid-September,
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
- **Attribution:** North Korea-aligned threat actor.
- **Known Aliases and Associated Groups:** Kimsuky.
## Activity Summary
Kimsuky has been observed conducting credential theft phishing campaigns. Campaigns evolved from using sender addresses associated with Japan, Korea, and the U.S. (observed until early September) to leveraging Russian sender addresses starting mid-September. They specifically abused the VK Mail.ru email service, utilizing its five alias domains (mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru) to send malicious emails.
The campaigns involved masquerading as communications from financial institutions and internet portals like Naver. A specific, recurring variant involved phishing related to Naver's MYBOX cloud storage service, where users were induced into a false sense of urgency to delete malicious files, tricking them into clicking links.
## Tactics, Techniques & Procedures
- **Social Engineering/Phishing:** Used highly targeted phishing emails to conduct credential theft.
- **Email Spoofing/Masquerading:**
- Disguised emails as originating from Russian domains (via Mail.ru service).
- Masqueraded as official communications from financial institutions and services like Naver and Naver MYBOX.
- **Infrastructure Abuse:** Leveraged a compromised email server belonging to Evangelia University (evangelia\[.\]edu) to send phishing messages.
- **Use of Legitimate Tools:** Utilized a PHP-based mailer service named Star, which is noted as similar to their previously documented use of PHPMailer.
## Targeting
- **Sectors:** Financial institutions, Internet portals/Cloud Services (specifically targeting users of Naver MYBOX).
- **Geography:** Initial waves targeted Japan, South Korea, and the U.S. Later campaigns utilized Russian-styled sender addresses.
- **Victims:** Users of specific online services, exemplified by phishing campaigns mimicking Naver MYBOX notifications.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed beyond the delivery method (phishing with malicious links/files).
- **Infrastructure (C2, domains, IPs):**
- **Email Service Abuse:** VK's Mail.ru service, utilizing domains: mail[.]ru, internet[.]ru, bk[.]ru, inbox[.]ru, and list[.]ru.
- **Compromised Server:** Evangelia University's email server (evangelia\[.\]edu).
- **Mailer Service:** Star (PHP-based mailer service).
## Implications
The shift in Kimsuky's operational security, specifically the adoption of Russian email addresses via Mail.ru, suggests an attempt to obfuscate their origins, potentially by leveraging infrastructure less commonly associated with North Korean threat activity, increasing the difficulty of initial source attribution for security teams monitoring East Asian infrastructure. The continued focus on credential harvesting remains a high risk for targeted organizations in the financial and tech sectors.
## Mitigations
- **Email Filtering:** Enhance scrutiny of emails masquerading as notifications from major local/regional providers (e.g., Naver) and financial institutions, especially those claiming urgent security issues on cloud storage.
- **Source Verification:** Implement strict DMARC/SPF/DKIM policies organization-wide. Pay close attention to mail originating from otherwise unexpected domains (like the Mail.ru set identified).
- **User Awareness:** Train users to be highly suspicious of unsolicited urgency regarding account integrity or detected malicious files, requiring manual verification outside the received link.
- **Infrastructure Hardening:** Vulnerability scanning and hardening of publicly accessible servers (like webmail servers) to prevent compromise and use as a spam relay (as seen with the compromise of evangelia\[.\]edu).