News Insights: US Government Issues Warning on Kimsuky APT Group

The FBI, DOD and DHS issued an alert Tuesday warning the private sector about a global hacking operation run by a North Korean government-linked hacking group known as Kimsuky https://us-cert.cisa.gov/ncas/alerts/aa20-301a

A joint alert was issued today by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF), describing the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. Known Kimsuky TTPs were found in open-source and intelligence reporting through July 2020, targeting commercial sector businesses.

News Insights:

Saryu Nayyar, CEO, Gurucul:

“The US-CERT alert on the North Korean APT group known as Kimsuky is not surprising, coming so soon after a similar alert about APT groups operating out of China.  State, and State Sponsored attacks have existed for years, but have grown higher profile and less covert over time.  The DPRK (Democratic People’s Republic of North Korea) has used cyberattacks as a form of asymmetric warfare for years, and is suspected of being behind a number of high-profile attacks against civilian targets. Organizations can defend themselves by using best of breed security solutions, including behavioral analytics, and by educating their user base to defend against the social engineering and spear phishing attacks this group often employs.”

Katie Nickels, director of intelligence at threat detection and response specialists Red Canary, commented: “My hope is that by the U.S. government continuing to share this level of detail in reporting, public-private relations will improve over time and contribute to better security on both sides.

Historically, the U.S. government has received a lot of criticism from the cybersecurity community about their reporting. Many times, governments are not able to share details of activity because of sensitive sources and methods they used to acquire the information. However, many researchers have criticized the government for not sharing actionable context and information about cyber threats. For example, DHS’s Automated Indicator Sharing (AIS) program has been widely criticized and was recently the subject of an Office of the Inspector General (OIG) report

In a departure from that history, the report released today by DHS, FBI, and CYBERCOM contains many details about cyber threats that defenders could action. It provides both behavior-based details as well as indicators of compromise from both the endpoint and network perspectives, which would allow defenders with various collections and visibility to identify these threats.

Additionally, this report links to the research of other community members, including MITRE ATT&CK, Palo Alto Unit 42, and Securelist. I also credit some of the recent DHS changes to the CISA Director, Chris Krebs, who is active in the cybersecurity community and has been particularly visible on topics of election security. This report is just the latest in a series of recent reports with similar levels of detail.”

Erich Kron, security awareness advocate at KnowBe4, said:

“This is another example of the seriousness of the modern cybercrime world and the resources behind them. With billions of dollars at stake every year and with warfare expanding to the digital realm in such a large way, it is no surprise that nation-states are involved. The days of thick manila envelopes full of papers, traditional dossiers on people or stealthy microfilm cameras whisking away our information are gone. Now, it is all a bunch of ones and zeros in easily searched databases. Given the success of social media attacks, it is also no surprise that email phishing is the top choice of attack vectors. To defend against these attacks, organizations must stay up to date on the current phishing trends and educate their employees on how to spot and report these types of attacks.”