Kimsuky: Pyongyang’s Eye in Seoul’s Mailbox

General Park Yowon stares directly at the camera. The blue background of the photograph highlights his khaki fatigues, characteristic of the South Korean army. Nothing is out of place in this ID-style photograph, affixed to a military card. Yet General Park Yowon does not exist. He was generated by artificial intelligence—ChatGPT, to be precise—by operators of the North Korean cyberespionage group Kimsuky, in the hope of infiltrating the information systems of adversarial military institutions via a phishing email.

Through this campaign, Kimsuky achieved an impressive feat: it is normally not possible to generate fake documents this sensitive with ChatGPT. Yet the metadata is clear: they were indeed generated by this tool. Experts from Genians explain in their report published on September 16 that, even if requests to create fake identity documents are rejected, it is possible to circumvent this by presenting the task from an aesthetic or graphic-design angle.

Kimsuky is known under many other names: APT43, THALLIUM, Velvet Chollima, Black Banshee, Emerald Sleet, etc. Active since 2012, the group has conducted numerous campaigns, mainly against South Korea, but has also targeted Japan, the United States, and Europe. Its activity is quite characteristic of actions carried out by the North Korean regime in cyberspace, with which it is very likely associated.

A key player in North Korean cyberespionage

Kaspersky was the first to name Kimsuky in a 2013 report, a name that remains the most commonly used to refer to this group. It comes from one of the registration pseudonyms of inboxes used as command-and-control servers, namely “kimsukyang.” The cybersecurity community’s interest in this group increased between 2019 and 2020, reflected in the publication of numerous reports and a better understanding of this cyberthreat. Observations have multiplied since, revealing increasing sophistication in their tools and techniques, ranging from simple social engineering to advanced malware.

The main objective of Kimsuky is the collection of strategic information that aligns with Pyongyang’s interests. Mandiant assesses with high confidence that the group acts on behalf of the North Korean regime and hypothesizes that it could even be affiliated with the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence agency. To gather information, it primarily targets military and governmental institutions, think tanks, universities, and press organizations mostly located in South Korea and the United States. However, Kimsuky has also attacked Japan, Russia, and European countries.

Targets evolve depending on North Korea’s geopolitical priorities. For example, between 2020 and 2021, Kimsuky’s campaigns heavily targeted the healthcare sector. In the middle of the Covid-19 pandemic, this was no coincidence. The group is particularly interested in entities linked to the energy sector, including think tanks. The goal is to monitor what is being said about North Korea’s nuclear program while collecting strategic information that could feed into it. Regarding other targets, the campaigns mainly serve to gain visibility into what is being said about the regime, as well as to anticipate the publication of sensitive data and potential sanctions.

In response to Kimsuky’s aggressiveness, Washington and its allies have imposed sanctions on the group, denouncing its information-collection practices and accusing it of supporting North Korean foreign policy. The effect of these measures is currently very limited, particularly because some operators may be located outside North Korea. A Trellix report highlights that some of them could be based in China. During a campaign targeting foreign embassies in Seoul, analysts noticed decreased activity at certain times corresponding to Chinese public holidays. This hypothesis was confirmed by OFAC in a 2022 statement, in which the agency indicated that some North Korean operators were located in China and Russia, allowing cyberespionage groups to circumvent sanctions.

Growing sophistication

Year after year, Kimsuky has transformed its artisanal attacks into a well-oiled espionage machine. The group focuses on spear phishing to infiltrate the information systems of its targets. Its strength lies in its ability to make emails credible: through social engineering, its operators have distinguished themselves in the art of creating coherent personas to entice victims into clicking on malicious links or downloading infected attachments. Specialists have analyzed some of these attachments: in certain cases, they were Word (.dotm) documents containing malicious macros that execute scripts and install backdoors. These documents are well designed, with credible themes (diplomatic letters, statements on human rights, etc.), improving credibility and thus the likelihood of success. This allows the discreet deployment of a software suite (backdoor modules, data theft, keylogger).

According to a report published by Cybereason’s Nocturnus team, Kimsuky’s campaigns have been marked by increasing sophistication. Whereas at the beginning, the group limited itself to a few pieces of malware, it now deploys a complete suite of malicious software. This allows it to tailor attacks to each target, loading components only when necessary, making analysis more complex. This escalation is also reflected in the use of the “CSPY Downloader” module, equipped with evasion techniques. It ensures that the environment is “suitable” before deploying malware. It is packed with UPX, uses revoked certificates, and contains debugging paths (PDB): all signs that Kimsuky is investing in techniques designed to circumvent classical defenses.

Moreover, Kimsuky’s operators resort to various techniques to obscure their activities. They falsify malware creation timestamps (backdating), sign files with revoked certificates, use debugging paths—all measures that significantly complicate investigations. They also reuse servers and domains already observed in past campaigns (notably BabyShark), ensuring continuity while oscillating between old and new tools.

Limited financial resources

Like many North Korean APT groups, Kimsuky’s actions are limited by restricted financial means, as it depends on the regime. To finance itself (and thereby support its espionage activities), the group does not hesitate to conduct cybercriminal activities, which translate into cryptocurrency theft via cyberattacks. Between 2017 and 2023, North Korean groups are estimated to have stolen more than 3 billion dollars in cryptocurrency. Operators initially targeted South Korean entities before expanding their geographic scope.

North Korean groups do not merely steal cryptocurrencies: they also exploit compromised servers to install mining software, particularly Monero, generating additional revenues. Once stolen, these assets pass through a vast laundering network set up by Pyongyang, where they are converted into fiat currency or used to acquire goods and services. Financial flows frequently pass through casinos or illicit exchange platforms to obfuscate the trails. These schemes make stolen cryptocurrencies an essential source of funding for the regime, to the point that their theft could cover up to 50% of North Korea’s ballistic missile program expenditures.

These financial activities are only part of the broader North Korean cyber system: the other rests on collaboration between different groups. Kimsuky does not hesitate to work with other attackers, as noted in a 2022 Mandiant report. The group has reportedly shared tools and resources temporarily, which has sometimes complicated attribution and reinforced confusion between Kimsuky and other entities such as Lazarus. Nevertheless, this illustrates the major role the group plays within the cyber apparatus of the North Korean regime.