North Korea’s Kimsuky Launches New Wave of Academic Cyberattacks
The hacker group Kimsuky, linked to North Korea, has once again come under scrutiny following a series of attacks targeting university staff, researchers, and professors. According to Resilience, these cyberattacks are aimed at gathering intelligence.
Resilience experts revealed that the group’s activities were detected in late July of this year, owing to an operational security mistake made by the hackers. Kimsuky, also known by the aliases APT43, ARCHIPELAGO, among others, is one of the many cyber divisions operating under the direction of the North Korean government and military structures.
Kimsuky actively employs phishing attacks to deliver specialized tools designed for conducting reconnaissance, stealing data, and establishing persistent remote access to compromised devices. A distinguishing feature of these attacks is the use of compromised servers to deploy a disguised version of the Green Dinosaur web shell. This tool is utilized for executing file operations on compromised devices.
Experts note that the access gained through Green Dinosaur allows for the deployment of phishing pages that mimic legitimate portals such as Naver and university websites, including Dongduk University, Korea University, and Yonsei University. These fake pages are designed to steal users’ credentials.
Once the victim enters their credentials, they are redirected to another site where a PDF document, purportedly an invitation to the Asan Institute for Policy Studies forum, is hosted. Resilience researchers also discovered that Kimsuky’s phishing sites employ a tool for the mass harvesting of Naver credentials, which acts as a proxy, stealing cookies and passwords from visitors.
Additionally, the analysis revealed Kimsuky’s use of a specially crafted PHPMailer tool called SendMail, employed to send phishing emails from Gmail and Daum Mail accounts.
To protect against such attacks, experts recommend enabling multi-factor authentication and carefully scrutinizing URLs before entering any credentials.
