Kimsuky | APT Profile

Description

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) [Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups. In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) has used commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)

Techniques Used (TTPs)

T1005 — Data from Local System (collection)
T1587.001 — Malware (resource-development)
T1583 — Acquire Infrastructure (resource-development)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1585.002 — Email Accounts (resource-development)
T1566 — Phishing (initial-access)
T1204.002 — Malicious File (execution)
T1040 — Network Sniffing (credential-access, discovery)
T1566.002 — Spearphishing Link (initial-access)
T1539 — Steal Web Session Cookie (credential-access)
T1588.002 — Tool (resource-development)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1608.001 — Upload Malware (resource-development)
T1105 — Ingress Tool Transfer (command-and-control)
T1587 — Develop Capabilities (resource-development)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1598 — Phishing for Information (reconnaissance)
T1553.002 — Code Signing (defense-evasion)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1102.002 — Bidirectional Communication (command-and-control)
T1204.001 — Malicious Link (execution)
T1534 — Internal Spearphishing (lateral-movement)
T1190 — Exploit Public-Facing Application (initial-access)
T1593.001 — Social Media (reconnaissance)
T1585 — Establish Accounts (resource-development)
T1589.003 — Employee Names (reconnaissance)
T1218.011 — Rundll32 (defense-evasion)
T1564.002 — Hidden Users (defense-evasion)
T1176.001 — Browser Extensions (persistence)
T1070.004 — File Deletion (defense-evasion)
T1219.002 — Remote Desktop Software (command-and-control)
T1583.004 — Server (resource-development)
T1620 — Reflective Code Loading (defense-evasion)
T1111 — Multi-Factor Authentication Interception (credential-access)
T1594 — Search Victim-Owned Websites (reconnaissance)
T1059.003 — Windows Command Shell (execution)
T1583.001 — Domains (resource-development)
T1012 — Query Registry (discovery)
T1591 — Gather Victim Org Information (reconnaissance)
T1071.001 — Web Protocols (command-and-control)
T1585.001 — Social Media Accounts (resource-development)
T1657 — Financial Theft (impact)
T1136.001 — Local Account (persistence)
T1007 — System Service Discovery (discovery)
T1586.002 — Email Accounts (resource-development)
T1560.003 — Archive via Custom Method (collection)
T1070.006 — Timestomp (defense-evasion)
T1598.003 — Spearphishing Link (reconnaissance)
T1596 — Search Open Technical Databases (reconnaissance)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1557 — Adversary-in-the-Middle (credential-access, collection)
T1518.001 — Security Software Discovery (discovery)
T1218.005 — Mshta (defense-evasion)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1185 — Browser Session Hijacking (collection)
T1133 — External Remote Services (persistence, initial-access)
T1082 — System Information Discovery (discovery)
T1584.001 — Domains (resource-development)
T1589.002 — Email Addresses (reconnaissance)
T1059.007 — JavaScript (execution)
T1656 — Impersonation (defense-evasion)
T1027 — Obfuscated Files or Information (defense-evasion)
T1074.001 — Local Data Staging (collection)
T1071.003 — Mail Protocols (command-and-control)
T1056.001 — Keylogging (collection, credential-access)
T1027.002 — Software Packing (defense-evasion)
T1552.001 — Credentials In Files (credential-access)
T1102.001 — Dead Drop Resolver (command-and-control)
T1560.001 — Archive via Utility (collection)
T1016 — System Network Configuration Discovery (discovery)
T1555.003 — Credentials from Web Browsers (credential-access)
T1546.001 — Change Default File Association (privilege-escalation, persistence)
T1566.001 — Spearphishing Attachment (initial-access)
T1057 — Process Discovery (discovery)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1113 — Screen Capture (collection)
T1112 — Modify Registry (defense-evasion, persistence)
T1059.001 — PowerShell (execution)
T1562.004 — Disable or Modify System Firewall (defense-evasion)
T1588.005 — Exploits (resource-development)
T1218.010 — Regsvr32 (defense-evasion)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1583.006 — Web Services (resource-development)
T1593 — Search Open Websites/Domains (reconnaissance)
T1083 — File and Directory Discovery (discovery)
T1564.003 — Hidden Window (defense-evasion)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1593.002 — Search Engines (reconnaissance)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1588.003 — Code Signing Certificates (resource-development)
T1114.003 — Email Forwarding Rule (collection)
T1071.002 — File Transfer Protocols (command-and-control)
T1003.001 — LSASS Memory (credential-access)
T1205 — Traffic Signaling (defense-evasion, persistence, command-and-control)
T1059.005 — Visual Basic (execution)
T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
T1059.006 — Python (execution)
T1505.003 — Web Shell (persistence)
T1114.002 — Remote Email Collection (collection)

Total TTPs: 103

Malware & Tools

Malware: Amadey, AppleSeed, BabyShark, Brave Prince, GoBear, Gold Dragon, Gomir, KGH_SPY, NOKKI, TRANSLATEXT, Troll Stealer, gh0st RAT

Tools: CSPY Downloader, Mimikatz, PsExec, QuasarRAT, schtasks

← Return to Home ← Back to APT Search