logoInvestigator
Get a Demo
menu
logoInvestigator
Get a Demo
close

As the Trilateral Summit of the U.S.-Japan-South Korea Approaches, Kimsuky Undercurrents Stir

Incident Analysis Report|June 5, 2024

Kimsuky is an APT organization based in North Korea that has been active since at least 2012. The group targets government entities, think tanks, and experts in specific fields in South Korea, Japan, the United States, Russia, Europe, and the United Nations, focusing on intelligence collection activities related to the Korean Peninsula, nuclear policy, and diplomatic policies and national security issues related to sanctions. Recently, as the trilateral summit of the United States, Japan, and South Korea is in the promotion stage, SecAI has captured multiple targeted attack samples of the Kimsuky organization against the United States, Japan, and South Korea. Analysis of these series of attack events has led to the following findings:

  • The Kimsuky organization's targeted attack activities against the United States, Japan, and South Korea have been ongoing since April 2024. The specific targets are suspected to be politicians in Japan and South Korea related to North Korean issues, and American military industry technicians (possibly including Germany).

  • In the attack activities, lures include topics related to the trilateral summit of the United States, Japan, and South Korea, as well as job descriptions from American military companies General Dynamics Land Systems and Lockheed Martin. The attack samples targeting South Korea were delivered through Facebook social engineering phishing (according to the Genius investigation report). The initial attack payloads include relatively rare MSC format files with fake Word icons (using Google online documents as lures), and some PE files with fake PDF icons. All initial samples have good anti-virus evasion effects.

  • SecAI, through the analysis of related samples, IPs, and domain names, has extracted multiple relevant IOCs for threat intelligence detection. SecAI's Network Detection and Response (SecAI NDR), Threat Intelligence Cloud API, support detection of this attack event.

To access a comprehensive analysis report regarding this security incident, please complete a simple verification step.

View Report
logo

Copyright © SECAI PTE LTDAll rights reaserved.Terms & Conditions.