The “Kimsuky” Operation: A North Korean APT?
2013-09-11 • Kaspersky •
https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
Kaspersky described a months-long cyber-espionage campaign, named the Kimsuky operation, targeting South Korean think tanks, defense policy bodies, the Ministry of Unification, Hyundai Merchant Marine, and related organizations. The malware used Korean-language build paths and communicated through Bulgarian free webmail accounts, with bots sending host information and stolen data to master email addresses. Early-stage malware was likely delivered by spear-phishing and used a DLL dropper to load encrypted espionage components, establish persistence as service DLLs, and run single-purpose spying modules. The toolset disabled Windows and AhnLab firewall-related settings, collected system and user data, logged keystrokes, encrypted exfiltration packages with RC4 and RSA-wrapped key material, and retrieved additional encrypted executables from email attachments. The report matters because it connects narrow South Korea-focused targeting with operational infrastructure, victimology, and host behaviors defenders can map to telemetry.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | ab73b1395938c48d62b7eeb5c9f3409d | 2013-09-11 | 2019-03-04 |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| [email protected] | 2013-09-11 | 2013-09-12 | |
| HASH | 96280f3f9fd8bdbe60a23fa621b85ab6 | 2013-09-11 | 2013-09-11 |
| HASH | 122c523a383034a5baef2362cad53d57 | 2013-09-11 | 2013-09-11 |
| HASH | d0af6b8bdc4766d1393722d2e67a657b | 2013-09-11 | 2013-09-11 |
| HASH | 2173bbaea113e0c01722ff8bc2950b28 | 2013-09-11 | 2013-09-11 |
| HASH | 5eef25dc875cfcb441b993f7de8c9805 | 2013-09-11 | 2013-09-11 |
| HASH | 3ae894917b1d8e4833688571a0573de4 | 2013-09-11 | 2013-09-11 |
| HASH | face9e96058d8fe9750d26dd1dd35876 | 2013-09-11 | 2013-09-11 |
| HASH | d94f7a8e6b5d7fc239690a7e65ec1778 | 2013-09-11 | 2013-09-11 |
| HASH | 80cba157c1cd8ea205007ce7b64e0c2a | 2013-09-11 | 2013-09-11 |
| HASH | dbedadc1663abff34ea4bdc3a4e03f70 | 2013-09-11 | 2013-09-11 |
| HASH | 8a85bd84c4d779bf62ff257d1d5ab88b | 2013-09-11 | 2013-09-11 |
| HASH | f1389f2151dc35f05901aba4e5e473c7 | 2013-09-11 | 2013-09-11 |
| HASH | 2a0b18fa0887bb014a344dc336ccdc8c | 2013-09-11 | 2013-09-11 |
| HASH | ffad0446f46d985660ce1337c9d5eaa2 | 2013-09-11 | 2013-09-11 |
| HASH | 191d2da5da0e37a3bb3cbca830a405ff | 2013-09-11 | 2013-09-11 |
| HASH | 3baaf1a873304d2d607dbedf47d3e2b4 | 2013-09-11 | 2013-09-11 |
| HASH | 4ea3958f941de606a1ffc527eec6963f | 2013-09-11 | 2013-09-11 |
| HASH | 9f7faf77b1a2918ddf6b1ef344ae199d | 2013-09-11 | 2013-09-11 |
| HASH | 637e0c6d18b4238ca3f85bcaec191291 | 2013-09-11 | 2013-09-11 |
| HASH | 4a1ac739cd2ca21ad656eaade01a3182 | 2013-09-11 | 2013-09-11 |
| HASH | f25c6f40340fcde742018012ea9451e0 | 2013-09-11 | 2013-09-11 |
| HASH | 69930320259ea525844d910a58285e15 | 2013-09-11 | 2013-09-11 |
| HASH | 4839370628678f0afe3e6875af010839 | 2013-09-11 | 2013-09-11 |
| HASH | 45448a53ec3db51818f57396be41f34f | 2013-09-11 | 2013-09-11 |
| HASH | 173c1528dc6364c44e887a6c9bd3e07c | 2013-09-11 | 2013-09-11 |
| HASH | f68fa3d8886ef77e623e5d94e7db7e6c | 2013-09-11 | 2013-09-11 |
| HASH | b3caca978b75badffd965a88e08246b0 | 2013-09-11 | 2013-09-11 |
| HASH | 3195202066f026de3abfe2f966c9b304 | 2013-09-11 | 2013-09-11 |
| HASH | b20c5db37bda0db8eb1af8fc6e51e703 | 2013-09-11 | 2013-09-11 |
| HASH | 81b484d3c5c347dc94e611bae3a636a3 | 2013-09-11 | 2013-09-11 |
| URL | http://www.unihope.kr/ | 2013-09-11 | 2013-09-11 |