북한의심APT공격_자료_분석.pdf (753 KB)

Kimsuky Operation is described as a suspected North Korea-linked cyber-espionage campaign targeting South Korean organizations including the Sejong Institute, KIDA, the Ministry of Unification, Hyundai Marine & Fire Insurance, and a reunification-focused civic group. Kaspersky's attribution indicators included Korean-language strings in the malware compile path, targeting aligned with North Korean interests, collection of HWP documents, attempts to disable Windows and AhnLab firewalls, a recipient account registered under the Korean name Kim Suk-hyang, and operator IPs from China's Jilin and Liaoning regions near North Korea. The malware chain loads an encrypted library, uses Metasploit Win7Elevate-style injection into explorer.exe, disables firewall/security services, logs keystrokes, collects system and user data, and encrypts reports before sending them through hardcoded mail.bg and Hotmail accounts. A dedicated HWP stealer copies itself as HncReporter.exe, changes Hangul document open-handler registry keys, and exfiltrates opened HWP files by email, making the campaign especially relevant to Korean policy and defense targets.