South Korea Sanctions North Korean-Sponsored Cybercrime Group “Kimsuky”
South Korea’s Ministry of Foreign Affairs (MOFA) sanctioned Friday the North Korean state-sponsored cybercrime group “Kimsuky,” whose misdeeds include the theft of satellite technology for the benefit of the Kim Jong-Un regime.
According to the South Korean ministry report, Kimsuky has spearheaded various phishing campaigns all over the world, with the goal of illicitly obtaining intelligence in the fields of technological development and national defense, which are of great interest to its totalitarian dictator.
Such cyber attacks have been specifically targeted towards stealing cutting-edge technologies pertaining to long-range weapon and satellite development.
The sanctions are also a direct response to North Korea’s threat of launching a long-range ballistic missile last week, MOFA said.
Active since at least 2012, Kimsuky has orchestrated these cyber thefts via a means known as “social engineering,” according to a joint advisory by multiple U.S. and South Korean intelligence and law enforcement agencies.
In the realm of cybersecurity, social engineering involves deceiving a target into having them unwittingly expose confidential or sensitive information for fraudulent purposes.
A favorite of Pyongyang’s exploitation tactics is what is known as “spear phishing,” the exploitation of stolen email addresses to compromise a broader network of devices and servers.
“For over a decade, Kimsuky actors have continued to refine their social engineering techniques and made their spear phishing efforts increasingly difficult to discern,” the U.S.-South Korean advisory said.
When starting from scratch, the North Korean-sponsored cybercrime group will employ open source information to identify an initial target, and then tailor that individual’s online persona to appear more genuine when communicating with their colleagues online.
Kimsuky agents will then create email addresses that closely resemble the ones they are impersonating. In the past, for instance, the group has passed itself off as well-known journalists using the domain “@XYZkoreas.news” that would make one associate it with the genuine news provider domain “@XYZnews.com.”
Now communicating with their victims under a fraudulent sense of trust, the cybercrime group has talked their way into receiving sensitive and classified information, in some cases intelligence pertaining to national security.
Information obtained from their victims and passed up the food chain to Pyongyang has also provided the Kim regime an additional source of intelligence into foreign policy circles.
Though Kimsuky agents are sponsored by—and act to the direct benefit of—the North Korean government, they have funded themselves via other forms of cybercrime, such as crypto jacking and sextortion against civilians, according to the blockchain analysis firm Chainalysis.