Kimsuky Cyber Attack Targeting Universities Linked to North Korea

In a recent development, the North Korea-linked threat actor, Kimsuky, has been identified in a series of cyber attacks targeting university staff, researchers, and professors for intelligence gathering purposes. Cybersecurity firm Resilience discovered this activity in late July 2024 after spotting an operation security error made by the hackers.

Kimsuky, also known by various aliases such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, is just one of several offensive cyber teams operated by the North Korean government and military.

The group is known for its active engagement in spear-phishing campaigns to deliver custom tools for reconnaissance, data theft, and establishing remote access to infected hosts. They have been using compromised hosts to deploy an obfuscated version of the Green Dinosaur web shell, facilitating file operations and phishing campaigns.

One notable tactic used by Kimsuky involves uploading phishing pages mimicking legitimate login portals for Naver and various universities to capture credentials. The victims are then redirected to a PDF document purporting to be an invitation to the Asan Institute for Policy Studies August Forum.

Researchers at Resilience have also uncovered a custom PHPMailer tool called SendMail, used by Kimsuky to send phishing emails through Gmail and Daum Mail accounts.

To protect against such threats, users are advised to enable multi-factor authentication and carefully scrutinize URLs before logging in. Stay informed about such cyber threats by following us on Twitter and LinkedIn for more exclusive content.