GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. Kimsuky

Kimsuky

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]

ID: G0094
Associated Groups: Velvet Chollima
Version: 1.1
Created: 26 August 2019
Last Modified: 30 March 2020
Version Permalink

Associated Group Descriptions

Name Description
Velvet Chollima

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[4]
Enterprise T1176 Browser Extensions

Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.[4]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used a Google Chrome extension to steal passwords and cookies from their browsers.[3]
Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[4]
Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[4]
Enterprise T1041 Exfiltration Over C2 Channel

Kimsuky has exfiltrated data over its email C2 channel.[4]
Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[4]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center.[4]
.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.[4]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[4]
Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger.[1][4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[3][4]
.002 Phishing: Spearphishing Link

Kimsuky has used an email containing a link to a document that contained malicious macros.[1]
Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[4]
Enterprise T1219 Remote Access Software

Kimsuky has used a modified TeamViewer client as a command and control channel.[4]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Kimsuky has used mshta to run malicious scripts on the system.[1]
Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[4]

References

  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
  1. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  2. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.