JOINT_CSA_DPRK_SOCIAL_ENGINEERING.PDF (932 KB)

NSA and U.S./ROK partners warn that DPRK state-sponsored actors tracked as Kimsuky, THALLIUM, or VELVETCHOLLIMA use social engineering and malware to collect intelligence from think tanks, academia, news media, and other targets. The advisory says the actors impersonate trusted sources to gather information on geopolitical events, foreign policy, and Korean Peninsula security issues, then use successful compromises to craft more credible spearphishing against higher-value targets. It identifies Kimsuky as subordinate to North Korea’s Reconnaissance General Bureau and says stolen data supports broader RGB cyber objectives. The release urges recipients to apply the CSA mitigations and report spearphishing examples with “#KimsukyCSA.”