Kaspersky Lab Analyzes Active Cyber-Espionage Campaign Primarily Targeting South Korean Entities
Operation’s possible North Korean links
Woburn, MA – September 11, 2013 -Today Kaspersky Lab’s security research team published
a report that analyzes an active cyber-espionage campaign primarily targeting
South Korean think-tanks.
named Kimsuky, is limited and highly targeted. According to technical analysis,
attackers were interested in targeting 11 organizations based in South Korea
and two entities in China including the Sejong Institute, Korea Institute For
Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai
Merchant Marine and The supporters of Korean Unification.
The earliest signs
of this threat actor's activity date back to the 3rd of April 2013, and the
first Kimsuky Trojan samples appeared on the 5th of May 2013. This
unsophisticated spy program includes several basic coding errors and handles
communications to and from infected machines via a Bulgarian web based free
e-mail server (mail.bg).
initial delivery mechanism remains unknown, Kaspersky researchers believe the
Kimsuky malware is most likely delivered via spear-phishing e-mails and has the
ability to perform the following espionage functions: keystroke logging,
directory listing collection, remote control access and HWP document theft
(related to the South Korean word processing application from the Hancom Office
bundle, extensively used by the local government). The attackers are using a modified version of
the TeamViewer remote access application to serve as a backdoor to hijack any
files from the infected machines.
malware contains a dedicated malicious program designed for stealing HWP files,
which suggests that these documents are one of main objectives of the group.
Clues found by
Kaspersky Lab's experts make it possible to surmise the North Korean
origin of the attackers. First of all, profiles of the targets speak for
themselves – South Korean universities conducting research on international
affairs and producing defense policies for government, a national shipping
company, and support groups for Korean unification.
Secondly – a
compilation path string containing Korean words (for example, some of them
could be translated as English commands “attack” and “completion”).
Third – two email
addresses to which bots send reports on status and transmit infected system
information via attachments – email@example.com and firstname.lastname@example.org –
are registered with the following “kim” names: “kimsukyang” and “Kim asdfa”. Even though this registration data does not
provide hard data about the attackers, the source IP-addresses of the attackers
fit the profile: there are 10 originating IP-addresses, and all of them lie in
ranges of the Jilin Province Network and Liaoning Province Network in China.
The ISPs providing Internet access in these provinces are also believed to
maintain lines into parts of North Korea.
interesting “geo-political” feature of Kimsuky malware is that it only disables
security tools from AhnLab, a South Korean anti-malware company.
products detect and neutralize these threats as Trojan.Win32.Kimsuky, and
modified TeamViewer client components are detected as
To read Kaspersky
Lab’s research post and the full report about the Kimsuky campaign, please
About Kaspersky Lab Kaspersky
Lab is the world’s largest privately held vendor of endpoint protection
solutions. The company is ranked among the world’s top four vendors of security
solutions for endpoint users*. Throughout its more than 15-year history
Kaspersky Lab has remained an innovator in IT security and provides effective
digital security solutions for large enterprises, SMBs and consumers. Kaspersky
Lab, with its holding company registered in the United Kingdom, currently
operates in almost 200 countries and territories across the globe, providing
protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue
by Vendor, 2011. The rating was published in the IDC report "Worldwide
Endpoint Security 2012–2016 Forecast and 2011 Vendor Shares (IDC #235930, July
2012). The report ranked software vendors according to earnings from sales of
endpoint security solutions in 2011.