Kimsuky
Aliases: Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427
Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing. Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019). North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Open interactive actor investigation
ATT&CK techniques
Data from Local SystemT1587.001
MalwareT1583
Acquire InfrastructureT1021.001
Remote Desktop ProtocolT1585.002
Email AccountsT1204.002
Malicious FileT1040
Network SniffingT1566.002
Spearphishing LinkT1588.002
ToolT1078.003
Local AccountsT1140
Deobfuscate/Decode Files or InformationT1608.001
Upload MalwareT1105
Ingress Tool TransferT1587
Develop CapabilitiesT1567.002
Exfiltration to Cloud StorageT1598
Phishing for InformationT1553.002
Code SigningT1036.004
Masquerade Task or ServiceT1102.002
Bidirectional CommunicationT1204.001
Malicious LinkT1534
Internal SpearphishingT1190
Exploit Public-Facing ApplicationT1593.001
Social MediaT1589.003
Employee NamesT1218.011
Rundll32T1564.002
Hidden UsersT1176
Browser ExtensionsT1070.004
File DeletionT1219
Remote Access SoftwareT1583.004
ServerT1620
Reflective Code LoadingT1111
Multi-Factor Authentication InterceptionT1594
Search Victim-Owned WebsitesT1059.003
Windows Command ShellT1583.001
DomainsT1012
Query RegistryT1591
Gather Victim Org InformationT1071.001
Web ProtocolsT1585.001
Social Media AccountsT1657
Financial TheftT1136.001
Local AccountT1007
System Service DiscoveryT1586.002
Email AccountsT1560.003
Archive via Custom MethodT1070.006
TimestompT1598.003
Spearphishing LinkT1550.002
Pass the HashT1557
Adversary-in-the-MiddleT1518.001
Security Software DiscoveryT1218.005
MshtaT1041
Exfiltration Over C2 ChannelT1133
External Remote ServicesT1082
System Information DiscoveryT1584.001
DomainsT1589.002
Email AddressesT1059.007
JavaScriptT1027
Obfuscated Files or InformationT1074.001
Local Data StagingT1071.003
Mail ProtocolsT1056.001
KeyloggingT1027.002
Software PackingT1552.001
Credentials In FilesT1560.001
Archive via UtilityT1016
System Network Configuration DiscoveryT1555.003
Credentials from Web BrowsersT1546.001
Change Default File AssociationT1566.001
Spearphishing AttachmentT1057
Process DiscoveryT1055
Process InjectionT1112
Modify RegistryT1059.001
PowerShellT1562.004
Disable or Modify System FirewallT1588.005
ExploitsT1218.010
Regsvr32T1547.001
Registry Run Keys / Startup FolderT1562.001
Disable or Modify ToolsT1543.003
Windows ServiceT1583.006
Web ServicesT1083
File and Directory DiscoveryT1564.003
Hidden WindowT1053.005
Scheduled TaskT1036.005
Match Legitimate Name or LocationT1593.002
Search EnginesT1055.012
Process HollowingT1114.003
Email Forwarding RuleT1071.002
File Transfer ProtocolsT1003.001
LSASS MemoryT1059.005
Visual BasicT1098.007
Additional Local or Domain GroupsT1059.006
PythonT1505.003
Web ShellT1114.002
Remote Email CollectionT1036
Masquerading