English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Kimsuky APT: Operation’s possible North Korean links uncovered

Dmitry Tarakanov
Kaspersky Lab Expert
Posted September 11, 13:15  GMT
Tags: Spyware, Targeted Attacks, Keyloggers, Cyber espionage
0.5
 

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian - mail.bg.
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:

D:\rsh\공격\UAC_dll(완성)\Release\test.pdb

The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:

D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb

We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
                               The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.                               
 
 
Korea Institute For Defense Analyses (KIDA)
 
                               KIDA is a comprehensive defense research institution that covers a wide range of defense-related issues. KIDA is organized into seven research centers: the Center for Security and Strategy; the Center for Military Planning; the Center for Human Resource Development; the Center for Resource Management; the Center for Weapon Systems Studies; the Center for Information System Studies; and the Center for Modeling and Simulation. KIDA also has an IT Consulting Group and various supporting departments. KIDA's mission is to contribute to rational defense policy-making through intensive and systematic research and analysis of defense issues.                               
 
 
Ministry of Unification
 
                               The Ministry of Unification is an executive department of the South Korean government responsible for working towards the reunification of Korea. Its major duties are: establishing North Korea Policy, coordinating inter-Korean dialogue, pursuing inter-Korean cooperation and educating the public on unification.                               
 
 
Hyundai Merchant Marine
 
                               Hyundai Merchant Marine is a South Korean logistics company providing worldwide container shipping services.                               

Some clues also suggest that computers belonging to “The supporters of Korean Unification” (http://www.unihope.kr/) are also compromised. Among other organizations we counted, 11 are based in South Korea and two entities reside in China.

There are a lot of minimal malicious programs involved in this campaign but, strangely, they each implement a single spying function. We were able to find basic libraries that are responsible for common communication with campaign master and additional modules performing the following functions:

  • Keystroke logging
  • Directory listing collection
  • HWP document theft
  • Remote control download and execution
  • Remote control access

Clues found by us make it possible to surmise North Korean origin of the attackers. Detailed report on this campaign you can find in our article "The “Kimsuky” Operation: A North Korean APT?".


Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog