South Korean President Yoon Suk Yeol walks with U.S. Defense Secretary Lloyd Austin at the Pentagon on April 27, 2023. Image: DOD / U.S. Navy Petty Officer 2nd Class Alexander Kubitza

North Korea’s Kimsuky cyber-spies earn an alert from Washington, Seoul

Intelligence agencies from the U.S. and South Korea have issued a warning that describes the spying methods of Kimsuky, a notorious North Korean nation-state hacking group that targets think tanks, academia and news media.

According to the advisory published on Thursday, Kimsuky hackers use impersonation tactics, masquerading as reliable sources to gain the trust of their targets and gather intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts of the nations that “threaten the regime.” This information also helps hackers create phishing emails that are more credible and impactful.

It’s not the first advisory issued by the U.S. and its allies regarding Kimsuky, whose many names include TA406 and Thallium. The group has been in operation since 2012, largely targeting diplomats, nongovernmental organizations, think tanks and experts on issues related to the Korean peninsula.

Intelligence agencies and cybersecurity researchers say the group is controlled by North Korea’s military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council.

On Friday, South Korea imposed fresh sanctions on Kimsuky members for their alleged involvement in North Korea's recent launch of a spy satellite into space. The satellite launch resulted in failure, with both the booster and payload plunging into the sea.

According to the South Korean ministry statement, Kimsuky has been, directly or indirectly, engaged in North Korea’s satellite development “by stealing cutting-edge technologies on weapons development, satellite and space.”

North Korea dismissed the criticism from Washington and other nations regarding the launch, asserting its sovereign right to space exploration.

False identities

Kimsuky hackers usually use spearphishing attacks to gain initial access to targets, posing as real journalists, academics, or think tank researchers with credible links to North Korean policy circles. The goal is to gain illicit access to the private documents, research and communications of their victims.

North Korea relies heavily on intelligence gained from these operations, according to the report.

Impersonation campaigns by groups like Kimsuky are dangerous because some targets may underestimate the threat posed by these attacks, “either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyberespionage efforts,” the advisory said.

A Kimsuky spearphishing campaign usually begins with broad research and preparation. The hackers use open-source information to identify potential targets and then tailor their online personas to appear more realistic and appealing to their victims. Hackers also create email addresses that resemble those of real individuals or common internet services and media sites.

The agencies that published the report believe that increasing awareness of some of these campaigns and basic cybersecurity literacy may reduce the effectiveness of Kimsuky's spearphishing operations.

The U.S. encourages victims to report suspicious activities, including those related to suspected North Korean hackers. For this information, the Department of State’s Rewards for Justice program can give an award of up to $5 million.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.