Cybereason, an Israeli cyber defense company specializing in defense of endpoints in organizations, announced that its research team, Nocturnus, has discovered new malware and spyware being employed by a North Korean threat actor called Kimusky. The group spied on governments and private entities in the US, Europe, Japan, South Korea and Russia. The organizations that were attacked include pharmaceutical and research companies that worked on COVID-19 vaccines, governmental defense departments, the UN Security Council, newspapers and human rights organizations.
The company revealed in its latest research that the North Koreans used new tools with advanced capabilities that had not been seen and documented until today. The first attack tool called KGH_SPY is used by the group to record the user’s activities on the computer, steal passwords and sensitive data, and afterwards send what the group steals to the group’s encrypted servers. The second tool, CSPY Downloader, carries out a set of checks on the victim’s computer to determine if “the coast is clear” of cyberattack monitoring and analysis tools before carrying out the attack, and thus reducing the chance that those carrying out the attack will be exposed. Despite the use of advanced tools, Kimusky used simple methods of social engineering, such as phishing emails with attached files, in order to penetrate organizations.
“We monitor the different attack groups in the world on a daily basis, and recently we identified increased activity by the attack infrastructure of Kimusky, which led us to start an intense investigation and to discovery of the new attack tools,” said Assaf Dahan, Head of Threat Research at Cybereason. “North Korean attack groups also operate against Israeli targets, but since the tools that we discovered today are new and were not known until now, the scope of the damage worldwide has yet to be fully discovered and I believe that we will find their footprints in additional continents and countries soon.”
Dahan also said that “Kimsuky has a rich history of cyberattacks that started in 2012 with attacks against South Korea. Over the past few years they have expanded their set of capabilities to advanced tools, and their circle of operations in Asia to neighbors Japan and Russia, and also to Europe and to the US.”