Combatting Kimsuky and Safeguarding National Intelligence

In the covert realm of cyberspace, a formidable adversary has emerged – a state-sponsored, North Korean group known as Kimsuky. Their clandestine operations are not motivated by profit, but by the pursuit of state secrets and strategic intelligence for the Democratic People’s Republic of Korea (DPKR). Read More

Although their targets are primarily South Korean, they have in recent years expanded operations globally and across healthcare, government, defense industrial base and manufacturing industries. While signs of this APT group were reported as early as 2013, their recent activities have increasingly raised alarm bells around the growing threat the group poses.

National Intelligence Remains the Primary Target

While phishing is one of the more common techniques performed by adversaries, Kimsuky has made a name for themselves through their masterful art of deception. They rely on spear-phishing campaigns, luring government officials into their intricate web of deceit. Emails disguised as urgent military orders or diplomatic communications held the key to their success. Once clicked, initial access is achieved and malware is unleashed, allowing Kimsuky to move undetected across multiple stages of the cyber kill chain – with an emphasis on reconnaissance, exfiltration, and collection – and deeper into the infected internal network.

Kimsuky isn’t your typical adversary group. They are a well-funded, state-sponsored entity with extensive resources and expertise. To evade detection, they continually adapt their tactics, creating new malware variants and employing evasion techniques that challenge even the most advanced cybersecurity defenses.

Strengthen Your Lines of Defense through Attack Graphs

Now you can test against them. AttackIQ has launched a number of campaigns to emulate Kimsuky’s advances and mimic their patterns. A single click, prepacked set of test scenarios empowers teams to rapidly validate their controls against the most common TTPs this group uses, including the release of four new attack graphs emulating the adversary’s reconnaissance operations. Validating your security program performance against these behaviors is vital to reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Emulate a significant portion of North Korea’s intelligence-centric clandestine operations.
  • Assess the security posture against a threat actor that specializes in social engineering and employs deceptive attacks as their primary tactics.
  • Continuously validate detection and prevention effectiveness against the techniques continuously used by this North Korean adversary.

Take an in-depth look into how AttackIQ’s Adversary Research Team (ART) emulates Kimsuky’s behaviors below:

Office  Document-based Campaign:

  • Actions like downloading malicious files to memory and disk
  • System and security software discovery
  • Scheduled task execution
  • Data exfiltration via HTTP

Malicious Word Document Campaign:

  • Persistence through startup folder and registry keys
  • FTP connections
  • System information discovery
  • Data exfiltration and changing Office settings

CHM File Infection Chain:

  • Capturing input and clipboard data
  • Deobfuscation, remote payload execution
  • Keylogging and data exfiltration

Campaign against Nuclear Power Plant-related Companies:

  • User discovery and DLL execution
  • Network configuration discovery
  • Security software detection
  • Data exfiltration and file discovery


In the realm of cyber warfare, state-sponsored threats like Kimsuky pose an ever-increasing risk to national security worldwide. They excel in covert operations, targeting not only governments but also various industries, leveraging deception, spear-phishing, and advanced malware. Now you can test against it using AttackIQ Flex which empowers organizations to emulate Kimsuky’s tactics, assess security measures, and stay ahead of this evolving adversary. As we confront the ongoing battle to safeguard national intelligence, AttackIQ Flex is here to provide a critical edge in the relentless pursuit of cyber defense.