APT reports

Kimsuky APT: Operation’s possible North Korean links uncovered

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian – mail.bg.
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:



The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:



We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.

Korea Institute For Defense Analyses (KIDA)
KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA’s mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues.
Ministry of Unification
The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.
Hyundai Merchant Marine
Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.


Some clues also suggest that computers belonging to “The supporters of Korean Unification” (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.

There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:

  • Keystroke logging
  • Directory listing collection
  • HWP document theft
  • Remote control download and execution
  • Remote control access

Clues found by us make it possible to surmise North Korean origin of the attackers. Detailed report on this campaign you can find in our article “The “Kimsuky” Operation: A North Korean APT?”.

Kimsuky APT: Operation’s possible North Korean links uncovered

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox