Think TanksAcademiaGovernmentJournalismDiplomacyNuclear Research
Targeted Countries
π°π· South KoreaπΊπΈ United Statesπ―π΅ JapanπͺπΊ European Union
Overview
Kimsuky is a North Korean espionage group focused on intelligence collection supporting DPRK nuclear and geopolitical interests. Specializes in highly targeted social engineering against think tanks, academics, diplomats, and journalists covering Korean Peninsula affairs. Known for extensive use of credential phishing, reconnaissance operations, and deploying custom malware for long-term intelligence gathering.
Deployment of malicious browser extension to steal email from Chrome/Edge.
2023
ReconShark Campaign
Spearphishing campaign targeting North Korea policy experts.
2019
KISA Alert Campaign
Targeting of journalists and diplomats covering DPRK.
2014
Korea Hydro Nuclear Power Breach
Infiltration of South Korean nuclear power operator.
Detection Engineering
Unauthorized Browser Extension Detection
Monitor Chrome/Edge extension installations via registry (HKCU\Software\Google\Chrome\Extensions). Alert on sideloaded extensions not from official Web Store. Detect modifications to browser Preferences and Secure Preferences files that bypass extension verification.
Deploy URL filtering to block newly registered domains (<30 days old) mimicking login portals. Monitor for certificate transparency logs registering domains similar to organizational login pages. Alert on HTML attachments with credential harvesting forms.
Monitor for unusual file upload/download patterns to cloud storage from endpoints. Detect OAuth token grants to unfamiliar third-party applications. Alert on API calls to Google Drive/Dropbox from processes other than official clients.
Prolific but less technically sophisticated than Lazarus. Relies heavily on social engineering. Primary mission is intelligence collection on DPRK policy.
Legal Actions & Sanctions
No documented legal actions.
Recent Reporting
2024-03
Rapid7: Kimsuky social engineering targeting researchers