Last updated on April 20, 2014 at 13:20 EDT

Kaspersky Lab Analyses Active Cyber-Espionage Campaign Primarily Targeting South Korean Entities

September 12, 2013

ABINGDON, England, September 12, 2013 /PRNewswire/ –

Operation’s possible North Korean links uncovered

Today Kaspersky Lab’s security research team published a report that analyses an
active cyber-espionage campaign primarily targeting South Korean think-tanks.

This campaign, named Kimsuky, is limited and highly targeted. According to technical
analysis, attackers were interested in targeting eleven organisations based in South Korea
and two entities in China including the Sejong Institute, Korea Institute for Defense
Analyses (KIDA), South Korea’s Ministry of Unification, Hyundai Merchant Marine and the
supporters of Korean Unification.

The earliest signs of this threat actor’s activity date back to the 3rd April 2013,
and the first Kimsuky Trojan samples appeared on the 5th May 2013. This unsophisticated
spy program includes several basic coding errors and handles communications to and from
infected machines via a Bulgarian web based free e-mail server (mail.bg [http://mail.bg

Although the initial delivery mechanism remains unknown, Kaspersky researchers believe
the Kimsuky malware is most likely delivered via spear-phishing e-mails and has the
ability to perform the following espionage functions: keystroke logging, directory listing
collection, remote control access and HWP document theft (related to the South Korean word
processing application from the Hancom Office bundle, extensively used by the local
government). The attackers are using a modified version of the TeamViewer remote access
application to serve as a backdoor to hijack any files from the infected machines.

The Kimsuky malware contains a dedicated malicious program designed for stealing HWP
files, which suggests that these documents are one of main objectives of the group.

Clues found by Kaspersky Lab’s experts make it possible to surmise the North Korean
origin of the attackers. First of all, profiles of the targets speak for themselves -
South Korean universities conducting research on international affairs and producing
defense policies for government, a national shipping company, and support groups for
Korean unification. Secondly – a compilation path string containing Korean words (for
example, some of them could be translated as English commands “attack” and “completion”).

Finally, two email addresses to which bots send reports on status and transmit
infected system information via attachments – iop110112@hotmail.com and
rsh1213@hotmail.com – are registered with the following ‘kim’ names: “kimsukyang” and “Kim
asdfa”. Even though this registration data does not provide hard data about the attackers,
the source IP-addresses of the attackers fit the profile: there are 10 originating
IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning
Province Network in China. The ISPs providing Internet access in these provinces are also
believed to maintain lines into parts of North Korea.

Another interesting “geo-political” feature of Kimsuky malware is that it only
disables security tools from AhnLab, a South Korean anti-malware company.

Kaspersky Lab’s products detect and neutralise these threats as Trojan.Win32.Kimsuky,
and modified TeamViewer client components are detected as Trojan.Win32.Patched.ps.

To read Kaspersky Lab’s research post and the full report about the Kimsuky campaign,
please visit Securelist
[http://www.securelist.com/en/analysis/204792305/The_Kimsuky_Operation_A_North_Korean_APT ]

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection
solutions. The company is ranked among the world’s top four vendors of security solutions
for endpoint users*. Throughout its more than 15-year history Kaspersky Lab has remained
an innovator in IT security and provides effective digital security solutions for large
enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the
United Kingdom, currently operates in almost 200 countries and territories across the
globe, providing protection for over 300 million users worldwide. Learn more at


Follow us on Twitter


Like us on Facebook


* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue
by Vendor, 2011. The rating was published in the IDC report “Worldwide Endpoint Security
2012-2016 Forecast and 2011 Vendor Shares (IDC #235930, July 2012). The report ranked
software vendors according to earnings from sales of endpoint security solutions in 2011.

        Editorial contact:
        Berkeley PR
        Ella Thompson
        Telephone: +44(0)118-909-0909
        1650 Arlington Business Park
        RG7 4SA, Reading

        Kaspersky Lab UK
        Ruth Knowles
        Telephone: +44(0)7590-440-433
        Milton Business Park
        OX14 4RY, Oxford

SOURCE Kaspersky Lab

Source: PR Newswire