North Korean Spying Operation Exposed by Hackers

North Korean Hacker Compromised: Operation Details Leaked

A significant breach has reportedly occurred, with hackers claiming successful compromise of a computer system belonging to an operative of the North Korean government. The contents of this system have subsequently been released publicly, providing an unusual insight into the nation’s hacking activities.

Report Published in Phrack Magazine

The two individuals responsible for the breach, known as Saber and cyb0rg, detailed their findings in a report featured in the latest edition of Phrack magazine. This publication is a well-known cybersecurity e-zine, originally launched in 1985.

Distribution of the latest issue took place at the Def Con hacking conference held in Las Vegas last week.

Details of the Compromise

According to the article, the hackers successfully infiltrated a workstation. This workstation hosted both a virtual machine and a virtual private server utilized by the targeted individual, identified as “Kim.”

The hackers assert that Kim is affiliated with Kimsuky, a North Korean government espionage group also recognized as APT43 and Thallium. All stolen data was transferred to DDoSecrets, a nonprofit organization dedicated to archiving leaked datasets for public access.

Kimsuky: A Prolific APT Group

Kimsuky is a highly active advanced persistent threat (APT) group. It is widely believed to operate within the North Korean government structure.

Their targets commonly include journalists and governmental bodies in South Korea, as well as other entities of strategic intelligence value to North Korea.

Financial Motivations

In addition to traditional espionage, Kimsuky engages in activities resembling cybercrime. This includes the theft and laundering of cryptocurrencies, reportedly to finance North Korea’s nuclear weapons development program.

Unique Access into Kimsuky Operations

This incident offers a remarkably rare perspective into Kimsuky’s operational methods. Unlike typical cybersecurity investigations that analyze data breaches, this hack involved compromising a member of the group directly.

Collaboration with Chinese Hackers

The hackers revealed observations regarding collaboration between Kimsuky and Chinese government-affiliated hacking groups. They noted the sharing of tools and techniques between the two entities.

Ethical and Legal Considerations

While the actions of Saber and cyb0rg technically constitute a criminal offense, prosecution is unlikely. This is due to the extensive sanctions already imposed on North Korea.

The hackers expressed a clear intent to expose and discredit Kimsuky members.

Strong Condemnation of Kimsuky

In their Phrack article, the hackers delivered a scathing critique of Kimsuky’s motivations. They accused the group of prioritizing financial gain and political objectives over ethical considerations.

They stated, “You hack for all the wrong reasons.”

Data Discovered in the Breach

Saber and cyb0rg claim to have uncovered evidence of Kimsuky compromising numerous South Korean government networks and private companies.

The leaked data includes email addresses, hacking tools, internal documentation, passwords, and other sensitive information.

Attempts to reach the individuals associated with the compromised email addresses were unsuccessful.

Identifying the Hacker

The hackers identified “Kim” as a North Korean government operative based on various indicators. These included file configurations and domain associations previously linked to the Kimsuky hacking group.

Regular Work Schedule

The hackers also observed a consistent work pattern, noting that Kim consistently connected to the network around 09:00 and disconnected by 17:00, Pyongyang time. This suggests adherence to standard office hours.