North Korean hackers’ computers were breached and their data published online, giving a rare glimpse into the cyber activities of the hermit nation.
The alleged cyber intrusion was carried out by two hackers known as Saber and cyb0rg, who later published their findings on Phrack, the legendary online cybersecurity magazine.
The hacktivists believed that the findings would benefit threat hunters, reverse engineers, and other hackers interested in North Korean cyber activity.
The duo also forwarded the exfiltrated data to DDoSecrets, a non-profit that archives and publishes stolen documents.
Hacktivists identify Kimsuky-affiliated North Korean hackers
The hacktivists claimed to have breached a computer belonging to a threat actor known as “Kim” who works for the state-affiliated hacking group Kimsuky, APT43, or Thallium.
The group targets government agencies, think tanks, journalists, and other geopolitically significant entities. It also conducts cryptocurrency heists on an industrial scale to fund the cash-strapped regime’s missile and nuclear programs.
The 9GB trove of stolen data included passwords, configuration files, logs, tactics and techniques, and even a threat actor’s Google search history. It also exposed Kimsuky’s stolen government certificates, live phishing infrastructure, Cobalt Strike payloads, C2 infrastructure, and kernel-level backdoors.
The duo also found that North Korean hackers cooperate with Chinese state-affiliated threat actors and even share tools and tactics to breach organizations.
“It shows a glimpse how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques,” they stated.
South Korea targeted by North Korean hackers
According to the leaked data, the duo assessed that North Korean hackers were also more interested in breaching South Korean government entities and businesses.
Cybersecurity firm ESET seemingly confirms this observation by stating that Kimsuky was shifting focus from Western targets to South Korea.
Unsurprisingly, some logs suggest that North Korean hackers had breached South Korea’s military intelligence security agency and the Ministry of Foreign Affairs.
A full phishing toolkit targeting the South Korean military domain dcc.mil.kr was also leaked. Brute force attempts on South Korean sites unification.go.kr and spo.go.kr were also exposed.
The leak also exposed a Single Sign-On (SSO) tool onnara_sso linked to nara9.saas.gcloud.go.kr, suggesting that North Korean hackers had persistence on South Korean government portals.
Full source code for South Korea’s Ministry of Foreign Affairs email platform was recovered during the cyber breach.
Additionally, based on the leaked “artifacts and hints,” including configuration files and domains, the two hackers believe they have identified North Korean hackers affiliated with the state-sponsored group.
The altruistic threat actors also observed that Kimsuky-affiliated North Korean hackers had strict office working hours, “always connecting at around 09:00 and disconnecting by 17:00 Pyongyang time.”
Meanwhile, the hacktivists were appalled by the North Korean threat actors’ malicious cyber activity. In response, they slammed the DPRK hackers for allowing financial greed to motivate them at the expense of innocent people.
“Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favour your own. You value yourself above the others: You are morally perverted,” the two wrote in Phrack. “You hack for all the wrong reasons.”
While the impact of the leaked data remains unknown, the duo seemingly hopes that threat hunters, hackers, hacktivists, and law enforcement would use the information to disrupt Kimsuky’s operations.
