The North Korean state-sponsored hackers generally known as Kimsuky has reportedly suffered a knowledge breach after two hackers, who describe themselves as the alternative of Kimsuky’s values, stole the group’s knowledge and leaked it publicly on-line.
The 2 hackers, named ‘Saber’ and ‘cyb0rg,’ cited moral causes for his or her actions, saying Kimsuky is “hacking for all of the fallacious causes,” claiming they’re pushed by political agendas and observe regime orders as a substitute of working towards the artwork of hacking independently.
“Kimsuky, you aren’t a hacker. You might be pushed by monetary greed, to counterpoint your leaders, and to satisfy their political agenda,” reads the hackers’ deal with to Kimsuky revealed within the newest situation of Phrack, which was distributed on the DEF CON 33 convention.
“You steal from others and favour your personal. You worth your self above the others: You might be morally perverted.”
The hackers dumped a portion of Kimsuky’s backend, exposing each their tooling and a few of their stolen knowledge that might present perception into unknown campaigns and undocumented compromises.
The 8.9GB dump at the moment hosted on the ‘Distributed Denial of Secrets and techniques’‘ web site incorporates, amongst others:
- Phishing logs with a number of dcc.mil.kr (Protection Counterintelligence Command) e-mail accounts.
- Different focused domains: spo.go.kr, korea.kr, daum.internet, kakao.com, naver.com.
- .7z archive containing the entire supply code of South Korea’s Ministry of International Affairs e-mail platform (“Kebi”), together with webmail, admin, and archive modules.
- References to South Korean citizen certificates and curated lists of college professors.
- PHP “Generator” toolkit for constructing phishing websites with detection evasion and redirection methods.
- Reside phishing kits.
- Unknown binary archives (voS9AyMZ.tar.gz, Black.x64.tar.gz) and executables (payload.bin, payload_test.bin, s.x64.bin) not flagged in VirusTotal.
- Cobalt Strike loaders, reverse shells, and Onnara proxy modules present in VMware drag-and-drop cache.
- Chrome historical past and configs linking to suspicious GitHub accounts (wwh1004.github.io, and many others.), VPN purchases (PureVPN, ZoogVPN) through Google Pay, and frequent use of hacking boards (freebuf.com, xaker.ru).
- Google Translate use for Chinese language error messages and visits to Taiwan authorities and navy websites.
- Bash historical past with SSH connections to inside methods.
The hackers word that a number of the above are already recognized or beforehand documented, a minimum of partially.
Nonetheless, the dump provides a brand new dimension to the information and supplies interlinking between Kimsuky’s instruments and actions, exposing and successfully “burning” the APT’s infrastructure and strategies.
BleepingComputer has contacted numerous safety researchers to substantiate the veracity of the leaked paperwork and its worth and can replace the story if we obtain a response.
Whereas the breach will seemingly not have long-term affect on Kimsuky’s operations, it might result in operational difficulties for Kimsuky and disruptions to ongoing campaigns.
The most recent situation of Phrack (#72) is at the moment solely accessible in a restricted bodily copy, however the on-line model needs to be prepared for folks to learn without spending a dime within the following days from right here.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
