Summary: Cybersecurity analysts have revealed that the North Korean APT group Kimsuky has been targeting universities globally through sophisticated phishing campaigns to steal sensitive information. The group’s activities align with the objectives of North Korea’s foreign intelligence agency, the Reconnaissance General Bureau (RGB), and include attempts to exfiltrate critical research data.
Threat Actor: Kimsuky | Kimsuky
Victim: Universities | universities
Key Point :
- Kimsuky has been active since at least 2012, primarily targeting South Korean think tanks and government entities, with a reach extending to the US and Europe.
- The group employs phishing tactics that mimic legitimate university login portals to capture login credentials from staff and researchers.
- Recent findings indicate Kimsuky’s operational security mistakes allowed analysts to collect critical data, including source code and login credentials.
- The group utilizes a custom tool called “SendMail” to send deceptive phishing emails from compromised accounts.
- Organizations are advised to implement phish-resistant multifactor authentication and regularly verify URLs to mitigate risks.
Cybersecurity analysts have uncovered critical details about the North Korean advanced persistent threat (APT) group Kimsuky, which has been targeting universities as part of its global espionage operations.
Kimsuky, active since at least 2012, primarily targets South Korean think tanks and government entities, though its reach extends to the US, the UK and other European nations. The group specializes in sophisticated phishing campaigns, often posing as academics or journalists to infiltrate networks and steal sensitive information.
Recent Findings and Tactics
According to a new advisory published by Resilience today, its analysts capitalized on Kimsuky’s operational security mistakes, which led to the collection of source code, login credentials and other crucial data.
The data revealed that Kimsuky has been phishing university staff, researchers and professors, aiming to access and exfiltrate valuable research and intelligence. Once inside university networks, the group was observed stealing information critical for North Korea, particularly given the country’s limited scientific community.
The group’s actions align with the objectives of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence agency.
Historically, Kimsuky has been linked to attempts to steal sensitive data, including nuclear research, healthcare innovations and pharmaceutical secrets. There is also evidence suggesting that Kimsuky engages in financially motivated cybercrime, potentially as a means to fund its espionage activities.
Resilience’s new findings shed light on Kimsuky’s methods, particularly its use of phishing pages that mimic legitimate university login portals. By altering the code of these pages, Kimsuky can capture the credentials of unsuspecting victims. Notably, the group has targeted institutions such as Dongduk University, Korea University and Yonsei University.
Read more on Kimsuky: North Korean Group Kimsuky Exploits DMARC and Web Beacons
The operation also highlighted Kimsuky’s use of a custom tool called “SendMail,” which was deployed to send phishing emails using compromised email accounts. These emails were carefully crafted to deceive recipients into providing their login information, furthering Kimsuky’s espionage efforts.
According to Resilience, the breadth and depth of Kimsuky’s tactics underscore the persistent and evolving threat posed by state-backed cyber groups.
Recommendations for Organizations
To tackle this threat, the security firm recommended leveraging phish-resistant multifactor authentication (MFA), such as FIDO-compliant hardware tokens or push-based mobile applications.
Additionally, users should always double-check that the URL they are logging into matches the page they expect to be on, as some password managers can assist with this automatically.
Finally, organizations are encouraged to review and test Breach and Attack Simulation packages that simulate Kimsuky activity to better prepare for potential attacks.
Source: https://www.infosecurity-magazine.com/news/north-korea-kimsuky-phishing