Kimsuky

🔴 High
Also known as: APT43, Black Banshee, Emerald Sleet, Kimsuky, Springtail, TA427, THALLIUM, Velvet Chollima, Thallium, Operation Stolen Pencil, G0086, Sparkling Pisces, Kimsuky - APT-C-55, RGB-D5, Greendinosa

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing. EST Kimsuky April 2019 Cybereason Kimsuky November 2020 Malwarebytes Kimsuky June 2021 CISA AA20-301A Kimsuky Mandiant APT43 March 2024 Proofpoint TA427 April 2024 Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions.

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019). Netscout Stolen Pencil Dec 2018 EST Kimsuky SmokeScreen April 2019 AhnLab Kimsuky Kabar Cobra Feb 2019

In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance. MSFT-AI

🌍 Country North Korea
📅 Activity 2021 — 2022
Risk Level High
🎯 Incident Type Espionage
🧭 ATT&CK G0094
Research - Innovation Energy Defense Diplomacy Academia - University News - Media Government Private sector
2021
2022

Targeted Victims

Ministry of Unification Sejong Institute Korea Institute for Defense Analyses Germany

Introduction

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing. EST Kimsuky April 2019 Cybereason Kimsuky November 2020 Malwarebytes Kimsuky June 2021 CISA AA20-301A Kimsuky Mandiant APT43 March 2024 Proofpoint TA427 April 2024 Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions. Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019). Netscout Stolen Pencil Dec 2018 EST Kimsuky SmokeScreen April 2019 AhnLab Kimsuky Kabar Cobra Feb 2019 In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance. MSFT-AI

Activities and Tactics

Targeted Sectors: Research - Innovation, Energy, Defense, Diplomacy, Academia - University, News - Media, Government, Private sector

Country of Origin: 🇰🇵 North Korea

Risk Level: High

First Seen: 2021

Last Activity: 2022

Incident Type: Espionage

Suspected Victims: Ministry of Unification, Sejong Institute, Korea Institute for Defense Analyses, Germany

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • PowerDuke
  • POWERSTATS
  • Power Loader
  • POWERSOURCE
  • Nuclear RAT
  • PowerRAT

Attribution and Evidence

Country of Origin: North Korea Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] EST Kimsuky April 2019 [3] Cybereason Kimsuky November 2020 [4] Malwarebytes Kimsuky June 2021 [5] CISA AA20-301A Kimsuky [6] Mandiant APT43 March 2024 [7] Proofpoint TA427 April 2024 [8] Netscout Stolen Pencil Dec 2018 [9] EST Kimsuky SmokeScreen April 2019 [10] AhnLab Kimsuky Kabar Cobra Feb 2019 [11] MSFT-AI