Summary: North Korean threat group Kimsuky is leveraging living-off-the-land techniques and trusted services, such as Dropbox, to enhance operational security and evade detection. Their recent campaign, termed “DEEP#DRIVE,” employed deceptive tactics to steal sensitive data, particularly from South Korean organizations, while also aiming for financial gain in cryptocurrency sectors. This sophisticated approach marks a significant evolution in Kimsuky’s cyber operations, raising alarms about the increasing threat to sensitive industries.
Affected: South Korean government agencies, businesses, cryptocurrency exchanges
Keypoints :
- Kimsuky showcased improved operational security using PowerShell scripts and Dropbox for data exfiltration in their DEEP#DRIVE campaign.
- The group executed a campaign aimed predominantly at espionage against South Korean entities, with additional motivations linked to financial gains from cryptocurrency theft.
- Operational security enhancements included using OAuth-based authentication, allowing them to avoid traditional detection methods, and timely dismantling of their infrastructure during investigations.
Views: 9