This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.
This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.
Click here for a PDF version of this report.
This advisory’s key findings are:
- The Kimsuky APT group has most likely been operating since 2012.
- Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
- Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.
- Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.
- Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
- Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
- Kimsuky specifically targets:
- Individuals identified as experts in various fields,
- Think tanks, and
- South Korean government entities.]
- CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.