An analysis found that the North Korean hacking group Kimsuky is using generative artificial intelligence (AI) to develop malware and is even targeting government officials' digital certificates, further advancing its cyberattack methods.
Security firm Kaspersky released a report on the 14th analyzing the latest attack tactics of the North Korean hacking group Kimsuky.
Identified first by Kaspersky in 2013, Kimsuky is a North Korea–linked advanced persistent threat (APT) group that has been active for more than 10 years. Although it is considered relatively less sophisticated than other Korean-language APT groups, it is known to excel at crafting tailored spear-phishing emails.
According to the report, Kimsuky has recently been using large language models (LLMs) to develop malware. While analyzing activity over the past few months, Kaspersky researchers identified HelloDoor, a Rust (programming language)–based backdoor. Inside the malware, they found comments containing emoticons and grammatical errors, which Kaspersky views as signs that an LLM was involved in the coding process. As a result, analysts say the development of cyberattack tools using AI could advance even more rapidly.
Changes were also observed in attack methods. In addition to its existing malware distribution techniques, Kimsuky has been repurposing Visual Studio Code (VSCode)'s remote tunneling feature and remote administration tools as attack channels. This makes the victim system appear to communicate with Microsoft servers, helping the attackers evade detection by security solutions and allowing them to covertly access the victim device through a web browser.
Threats targeting government agencies are also increasing. Kimsuky's AppleSeed malware was found to include a function that collects the storage directory for the Government Public Key Infrastructure (GPKI), the government-accredited digital certificates that officials use to access government systems. Kaspersky noted that if these certificates are leaked, there is a risk of accessing government systems by stealing officials' accounts.
This analysis also found indications that South Korean military officials, government officials, employees of defense contractors, reporters with base access, and telecom employees were infected. Kimsuky appears to attempt initial intrusion using sophisticated spear-phishing emails disguised as product quotes or job postings. Recently, it has also been using messengers to make contact and hacking legitimate South Korean websites to abuse them as C2 (command and control) servers, in parallel with infrastructure-concealment tactics.
Lee Hyo-eun, head of Kaspersky Korea, said, "Kimsuky's latest campaign is increasing its sophistication along two lines: AI-assisted code generation and weaponization of legitimate software," and emphasized, "Corporations and institutions should build behavior-based detection systems and regularly update the latest threat intelligence."