Kimsuky
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]
Associated Group Descriptions
| Name | Description |
|---|---|
| Velvet Chollima | [3] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Kimsuky has placed scripts in the startup folder for persistence.[4] |
| Enterprise | T1176 | Browser Extensions |
Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[3] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Kimsuky has used a Google Chrome extension to steal passwords and cookies from their browsers.[3] |
| Enterprise | T1005 | Data from Local System |
Kimsuky has collected Office, PDF, and HWP documents from its victims.[4] |
|
| Enterprise | T1546 | .001 | Event Triggered Execution: Change Default File Association |
Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[4] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ||
| Enterprise | T1083 | File and Directory Discovery |
Kimsuky has the ability to enumerate all the drives on an infected system.[4] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Kimsuky has been observed turning off Windows Security Center.[4] |
| .004 | Impair Defenses: Disable or Modify System Firewall | |||
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Kimsuky has deleted the exfiltrated data on disk after transmission.[4] |
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[3][4] |
| .002 | Phishing: Spearphishing Link |
Kimsuky has used an email containing a link to a document that contained malicious macros.[1] |
||
| Enterprise | T1055 | Process Injection |
Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[4] |
|
| Enterprise | T1219 | Remote Access Software |
Kimsuky has used a modified TeamViewer client as a command and control channel.[4] |
|
| Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta |
Kimsuky has used mshta to run malicious scripts on the system.[1] |
| Enterprise | T1082 | System Information Discovery |
Kimsuky has gathered information about the infected computer.[4] |
|