The hacking group 'Kimsuky' under North Korea's Reconnaissance General Bureau has been continuously hacking Korean government agencies and telecom companies, according to a report by the U.S. hacking magazine Phrack on the 8th.
Phrack reported this in a special issue celebrating its 40th anniversary, citing a report titled 'APT Down: The North Korea Files.' This report, which was disclosed by the U.S. nonprofit organization Dido Secrets at the world's largest hacking conference, Defconn, held from the 7th to the 10th in San Francisco, was co-authored by white hat hackers 'Saber' and 'cyb0rg.'
According to the report, a data dump containing a vast amount of internal system access accounts and keys for the Ministry of the Interior and Safety, the Ministry of Foreign Affairs, the National Defense Intelligence Command, and domestic telecom companies was discovered in June.
The report claimed that the data dump was leaked from the virtual machines (VMs) used by Kimsuky hackers and from a Virtual Private Server (VPS) used for spear phishing attacks. Some of the leaked dump files on the dark web included source codes for backdoors and attack tools used by the attackers, as well as sensitive information believed to have been stolen from Korean government agencies. Major emails and platforms of the Korean government were also exposed. There were indications that attackers had accessed government sites up to this year.
There were attempts to log in and records of phishing against institutions such as the Ministry of National Defense (DCC), the Ministry of Foreign Affairs, and the Supreme Public Prosecutors' Office. In the case of the Ministry of the Interior and Safety, it is reported that the 'Onnara System,' the internal government network system, was attacked, and the Ministry of Foreign Affairs confirmed that it had accessed an email platform.
The report stated that the attackers also accessed domestic telecom companies. After hacking a company that provides security solutions to one telecom company, they attempted an internal penetration, and they also stole certificates and private keys for the remote control services of another telecom company.
The report warned that 'Kimsuky' is conducting persistent and long-term cyber espionage activities against the Korean government, military, media, and diplomatic institutions, noting that the attacks are cleverly designed, continuously updating infrastructure and malware to evade security detections, necessitating caution.