JUST RELEASED: ATT&CK for Industrial Control Systems

Kimsuky

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]

ID: G0094
Associated Groups: Velvet Chollima
Version: 1.0
Created: 26 August 2019
Last Modified: 07 October 2019

Associated Group Descriptions

Name Description
Velvet Chollima [3]

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[3]

Enterprise T1042 Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[4]

Enterprise T1081 Credentials in Files

Kimsuky has used a Google Chrome extension to steal passwords and cookies from their browsers.[3]

Enterprise T1022 Data Encrypted

Kimsuky has used RC4 encryption before exfil.[4]

Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[4]

Enterprise T1089 Disabling Security Tools

Kimsuky has been observed disabling the system firewall and turning off Windows Security Center.[4]

Enterprise T1041 Exfiltration Over Command and Control Channel

Kimsuky has exfiltrated data over its email C2 channel.[4]

Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[4]

Enterprise T1107 File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[4]

Enterprise T1056 Input Capture

Kimsuky has used a PowerShell-based keylogger.[1][4]

Enterprise T1170 Mshta

Kimsuky has used mshta to run malicious scripts on the system.[1]

Enterprise T1050 New Service

Kimsuky has created new services for persistence.[4]

Enterprise T1086 PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1]

Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[4]

Enterprise T1060 Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[4]

Enterprise T1219 Remote Access Tools

Kimsuky has used a modified TeamViewer client as a command and control channel.[4]

Enterprise T1193 Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[3][4]

Enterprise T1192 Spearphishing Link

Kimsuky has used an email containing a link to a document that contained malicious macros.[1]

Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[4]

References