ETDA ThaiCERT
Report
Search
Home > List all groups > Kimsuky, Velvet Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Kimsuky, Velvet Chollima

NamesKimsuky (Kaspersky)
Velvet Chollima (CrowdStrike)
Thallium (Microsoft)
Black Banshee (PWC)
ITG16 (IBM)
CountryNorth Korea North Korea
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2013
Description(Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.
ObservedSectors: Education, Energy, Think Tanks and Ministry of Unification, Sejong Institute and Korea Institute for Defense Analyses.
Countries: South Korea, USA.
Tools usedBabyShark, Gh0st RAT, Grease, KimJongRAT, Kimsuky, KPortScan, MailPassView, Mechanical, Mimikatz, MyDogs, Network Password Recovery, ProcDump, PsExec, Remote Desktop PassView, SniffPass, WebBrowserPassView, Living off the Land.
Operations performed2013For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks.
<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>
2014The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only 'non-critical' networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened 'destruction' in a message posted to Twitter.
<https://arstechnica.com/information-technology/2015/03/south-korea-claims-north-hacked-nuclear-data/>
Mar 2018Operation “Baby Coin”
<https://blog.alyac.co.kr/m/1963>
May 2018Operation “Stolen Pencil”
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling Stolen Pencil that is targeting academic institutions since at least May 2018.
<https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia>
Oct 2018Operation “Mystery Baby”
<https://blog.alyac.co.kr/m/1963>
Nov 2018The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues.
<https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/>
<https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/>
Jan 2019Operation “Kabar Cobra”
On January 7, 2019, a spear-phishing email with a malicious attachment was sent to members of the Ministry of Unification press corps.
<https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf>
Apr 2019Operation “Stealth Power”
<https://blog.alyac.co.kr/2234>
Apr 2019Operation “Smoke Screen”
<https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf>
Jul 2019Operation “Red Salt”
<https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf>
Jul 2019In what appears to be the first attack of its kind, a North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials.
Targets of this recent campaign include former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry.
<https://www.zdnet.com/article/north-korean-state-hackers-target-retired-diplomats-and-military-officials/>
Feb 2020We decided to analyse the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.
<https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/>
Feb 2020North Korea has tried to hack 11 officials of the UN Security Council
<https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/>
Mar 2020According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic.
The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky.
<https://twitter.com/issuemakerslab/status/1233010155018604545>
Counter operationsDec 2019Microsoft takes court action against fourth nation-state cybercrime group
<https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/>
Information<https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/>
<https://securityintelligence.com/media/recent-activity-from-itg16-a-north-korean-threat-group/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0094/>
<https://attack.mitre.org/groups/G0086/>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon
Next: Lazarus Group, Hidden Cobra, Labyrinth Chollima

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key