A recent report published in the U.S. security magazine Phrack caused a stir in the security industry. The report, titled "APT Down: The North Korea Files," written by two white hat hackers, captures evidence that the hacking organization Kimsuky, under the North Korean reconnaissance bureau, has been continuously hacking the South Korean government and numerous corporations. The report claimed that traces of collaboration between Kimsuky and Chinese hackers were also found. It became known both domestically and internationally that major government departments such as the Ministry of National Defense and the Ministry of Foreign Affairs, along with telecommunications companies, were exposed without any defenses against hacking risks.
Including attacks presumed to be carried out by hackers backed by North Korea, there were over 1,000 cases of cyber attack damage in Korea in the first half of this year, but cyber security policies were omitted from the 123 national tasks announced by the Lee Jae-myung administration on the 13th. Security experts criticized, "Public and private sectors have turned into playgrounds for hackers, but policies related to cyber security, which are central to national security, are still being neglected."
◇ "Kimsuky publicly collaborates with Chinese hackers"
According to industry sources on the 15th, a report published by the non-profit organization DDoSecrets was co-authored by two white hat hackers, Saber and cyb0rg. The two hackers reported that they found information obtained by hacking into the workstation of a North Korean hacker presumed to belong to Kimsuky, known as 'KIM.' They also revealed how the attackers targeted the government and corporations.
According to the report, a massive data dump was found on the attacker's computer, containing access accounts and keys to the internal systems of the Ministry of the Interior and Safety, the Ministry of Foreign Affairs, the Defense Security Command (DCC), the Supreme Public Prosecutors' Office, and domestic telecommunications companies. The data dump leaked around June 10 from the virtual machine used by the hacker and a virtual private server utilized for spear phishing.
The two hackers claimed they found sensitive information that appeared to have been stolen from government departments, including email addresses used by the attackers, hacking tools, and passwords. Phishing attacks targeting the Defense Security Command were conducted until early June. Records of attempted phishing against the Supreme Public Prosecutors' Office and access to domain addresses of portal sites such as Naver and Daum, as well as a copy file from the Ministry of Foreign Affairs' email platform, were also discovered. In the case of the Ministry of the Interior and Safety, the internal work management system, known as the "Onnara system," was attacked.
Among the private corporations, it appears that the focus was particularly on telecommunications companies widely used by the public. In one case, a hacker attempted internal infiltration after hacking a company that provides security solutions to that telecommunications company, while another telecommunications company had its certificate and private key for remote control services stolen.
The report pointed out, "Kimsuky is an intelligence and persistent threat (APT) organization from North Korea conducting ongoing and long-term cyber espionage activities against the South Korean government, military, media, diplomatic agencies, and nuclear power plant operators," and noted that they are "a morally depraved group driven by political motives and monetary greed."
It also noted, "There are indications that Kimsuky publicly collaborates with Chinese hackers, sharing their tools and techniques." The authors of the report suggested that the possibility of these attacks being backed by China cannot be ruled out, but they reasoned that Kimsuky was likely responsible, as the hacker used Google Translate to convert Korean to simplified Chinese, and Chrome settings were configured for 'Korean Standard Time.' They also added that the hackers displayed a consistent work pattern, only accessing during standard working hours from 9 a.m. to 5 p.m. Pyongyang time.
Foreign media assessed that this report has revealed some of the realities behind North Korea's closed hacking operations. The IT media TechCrunch remarked, "It is an almost unprecedented case of looking into Kimsuky's internal activities."
◇ Surge in presumption of North Korean attacks despite vacant national security roles
Kimsuky, presumed by the report to be behind the attacks, is listed among the North's representative hacking organizations, alongside Lazarus, APT37, and Andariel. This hacker group, which reportedly began its activities in 2012, first came to light when a Russian security firm identified that a hacker's email account was 'Kimsukyang,' which was later transliterated into Kimsuky in a 2013 report. Kimsuky has primarily targeted South Korean government departments, corporations, nuclear power plants, and experts in the field of reunification. In recent years, it has expanded its targets to the United Nations, the United States, Japan, Russia, and Europe.
According to the security company Recorded Future, Kimsuky was responsible for about 37% of cyber attacks carried out by North Korean hacker groups from 2009 to 2023. The main goals of the attacks have been information theft and earning foreign currency. Recently, it has been hacking global cryptocurrency exchanges to launder stolen cryptocurrencies and raise funds necessary for North Korea's nuclear weapons development.
Industry sources indicate that Kimsuky mainly utilizes methods such as spear phishing and watering hole attacks to initiate breaches, and to target potential victims, it is known to create social media accounts impersonating specific individuals. Their attack methods are continuously becoming more sophisticated. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted, "Since 2023, Kimsuky has begun utilizing large language models (LLM) and artificial intelligence (AI) in vulnerability research, social engineering, and reconnaissance activities."
The head of the cyber threat analysis team at a domestic security firm stated about the report, "This attack represents a sophisticated threat that has precision-targeted key state institutions and infrastructure," adding that "the leaked data included internal operational documents, credentials, backdoors, and other materials classified as state secrets."
The security industry criticized that as North Korean and Chinese suspected hackers increase their attack levels against government and private sectors, positions responsible for national security remain vacant. The cyber security secretary at the presidential office, overseeing national cyber security, has been unoccupied for more than two months since the new administration started.