North Korea Kimsuky Launch Phishing Attacks on Universities

Summary:
Researchers have detailed activities of the North Korean APT group Kimsuky, which has been targeting universities globally for espionage. Active since 2012, Kimsuky primarily targets South Korean entities but has extended its reach to the US, the UK, and Europe. The group specializes in sophisticated phishing campaigns, often impersonating academics or journalists to steal sensitive information.

Recent findings and tactics have been detailed in a new advisory published by Resilience. Analysts capitalized on Kimsuky's operational security mistakes, leading to the collection of source code, login credentials, and other crucial data. The data revealed that Kimsuky has been phishing university staff, researchers, and professors, aiming to access and exfiltrate valuable research and intelligence. Once inside university networks, the group was observed stealing information critical for North Korea, particularly given the country's limited scientific community. The group's actions align with the objectives of the Reconnaissance General Bureau, North Korea's primary foreign intelligence agency.

Resilience's new findings shed light on Kimsuky's methods, particularly its use of phishing pages that mimic legitimate university login portals. By altering the code of these pages, Kimsuky can capture the credentials of unsuspecting victims. Notably, the group has targeted institutions such as Dongduk University, Korea University, and Yonsei University.


Security Officer Comments:
Historically, Kimsuky has been linked to attempts to steal sensitive data, including nuclear research, healthcare innovations, and pharmaceutical secrets. There is also evidence suggesting that Kimsuky engages in financially motivated cybercrime, potentially as a means to fund its espionage activities. The operation also highlighted Kimsuky's use of a custom tool called "SendMail," which was deployed to send phishing emails using compromised email accounts. These emails were carefully crafted to deceive recipients into providing their login information, furthering Kimsuky's espionage efforts. According to Resilience, the breadth and depth of Kimsuky's tactics underscore the persistent and evolving threat posed by state-backed cyber groups.

Suggested Corrections:

  • Implement phish-resistant multifactor authentication (MFA), such as FIDO-compliant hardware tokens or push-based mobile applications.
  • Ensure users verify URLs before logging in, with the help of password managers.
  • Review and test Breach and Attack Simulation packages to simulate Kimsuky activity and prepare for potential attacks.

Link(s):
https://www.infosecurity-magazine.com/news/north-korea-kimsuky-phishing/