JUST RELEASED: ATT&CK for Industrial Control Systems
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
No groups
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. Kimsuky

Kimsuky

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]

ID: G0094
Associated Groups: Velvet Chollima
Version: 1.0
Created: 26 August 2019
Last Modified: 07 October 2019

Associated Group Descriptions

Name Description
Velvet Chollima [3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[3]
Enterprise T1042 Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[4]
Enterprise T1081 Credentials in Files

Kimsuky has used a Google Chrome extension to steal passwords and cookies from their browsers.[3]
Enterprise T1022 Data Encrypted

Kimsuky has used RC4 encryption before exfil.[4]
Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[4]
Enterprise T1089 Disabling Security Tools

Kimsuky has been observed disabling the system firewall and turning off Windows Security Center.[4]
Enterprise T1041 Exfiltration Over Command and Control Channel

Kimsuky has exfiltrated data over its email C2 channel.[4]
Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[4]
Enterprise T1107 File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[4]
Enterprise T1056 Input Capture

Kimsuky has used a PowerShell-based keylogger.[1][4]
Enterprise T1170 Mshta

Kimsuky has used mshta to run malicious scripts on the system.[1]
Enterprise T1050 New Service

Kimsuky has created new services for persistence.[4]
Enterprise T1086 PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1]
Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[4]
Enterprise T1060 Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[4]
Enterprise T1219 Remote Access Tools

Kimsuky has used a modified TeamViewer client as a command and control channel.[4]
Enterprise T1193 Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[3][4]
Enterprise T1192 Spearphishing Link

Kimsuky has used an email containing a link to a document that contained malicious macros.[1]
Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[4]

References

  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
  1. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  2. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.