An IT security company’s researchers have published a report that analyses an active cyber-espionage campaign primarily targeting South Korean think-tanks.
This campaign, named Kimsuky, is limited and highly targeted. According to Kaspersky Lab technical analysis, attackers were interested in targeting 11 organisations based in South Korea and two entities in China including the Sejong Institute, Korea Institute for Defense Analyses (KIDA), South Korea’s Ministry of Unification, Hyundai Merchant Marine and the supporters of Korean Unification.
The earliest signs of this threat actor’s activity date back to April 2013, and the first Kimsuky Trojan samples appeared on May 5. This unsophisticated spy program includes several basic coding errors and handles communications to and from infected machines via a Bulgarian web based free e-mail server (mail.bg).
Although the initial delivery mechanism remains unknown, Kaspersky researchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails and has the ability to perform the following espionage functions: keystroke logging, directory listing collection, remote control access and HWP document theft (related to the South Korean word processing application from the Hancom Office bundle, extensively used by the local government). The attackers are using a modified version of the TeamViewer remote access application to serve as a backdoor to hijack any files from the infected machines.
The Kimsuky malware contains a dedicated malicious program designed for stealing HWP files, which suggests that these documents are one of main objectives of the group.
Clues found by Kaspersky Lab make it possible to surmise the North Korean origin of the attackers, the IT firm adds. First of all, profiles of the targets speak for themselves – South Korean universities conducting research on international affairs and producing defense policies for government, a national shipping company, and support groups for Korean unification. Secondly – a compilation path string containing Korean words (for example, some of them could be translated as English commands “attack” and “completion”).
