{ "type": "bundle", "id": "bundle--86c14626-5a41-4ed8-8d0e-f8fd83383717", "spec_version": "2.0", "objects": [ { "modified": "2022-11-30T22:53:00.875Z", "name": "Kimsuky", "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "aliases": [ "Kimsuky", "STOLEN PENCIL", "Thallium", "Black Banshee", "Velvet Chollima" ], "x_mitre_deprecated": false, "x_mitre_version": "3.1", "x_mitre_contributors": [ "Taewoo Lee, KISA", "Dongwook Kim, KISA" ], "type": "intrusion-set", "id": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "created": "2019-08-26T15:03:02.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0094", "external_id": "G0094" }, { "source_name": "Thallium", "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "Black Banshee", "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "STOLEN PENCIL", "description": "(Citation: Netscout Stolen Pencil Dec 2018)" }, { "source_name": "Kimsuky", "description": "(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "Velvet Chollima", "description": "(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)" }, { "source_name": "AhnLab Kimsuky Kabar Cobra Feb 2019", "description": "AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.", "url": "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf" }, { "source_name": "EST Kimsuky April 2019", "description": "Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.", "url": "https://blog.alyac.co.kr/2234" }, { "source_name": "Netscout Stolen Pencil Dec 2018", "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.", "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" }, { "source_name": "BRI Kimsuky April 2019", "description": "BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.", "url": "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/" }, { "source_name": "Zdnet Kimsuky Dec 2018", "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" }, { "source_name": "CISA AA20-301A Kimsuky", "description": "CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" }, { "source_name": "Cybereason Kimsuky November 2020", "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" }, { "source_name": "EST Kimsuky SmokeScreen April 2019", "description": "ESTSecurity. (2019, April 17). Analysis of the APT Campaign \u2018Smoke Screen\u2019 targeting to Korea and US \ucd9c\ucc98: https://blog.alyac.co.kr/2243 [\uc774\uc2a4\ud2b8\uc2dc\ud050\ub9ac\ud2f0 \uc54c\uc57d \ube14\ub85c\uadf8]. Retrieved September 29, 2021.", "url": "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf" }, { "source_name": "Malwarebytes Kimsuky June 2021", "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" }, { "source_name": "Securelist Kimsuky Sept 2013", "description": "Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.", "url": "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" }, { "source_name": "ThreatConnect Kimsuky September 2020", "description": "ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.", "url": "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }