US Sanctions North Korean Cyber Unit After Satellite LaunchKimsuky Cyberespionage Unit Hit With Sanctions From US and Foreign Partners
The United States on Thursday sanctioned North Korean cyberespionage threat actor Kimsuky, known for its social engineering campaigns against targets it suspects of holding intelligence on geopolitical events and negotiations affecting the Hermit Kingdom.
The Department of the Treasury leveled sanctions against the threat actor and eight North Korean agents accused of facilitating sanctions evasions by carrying out missile-related technology procurement efforts.
The department said the sanctions are a response to a North Korean reconnaissance satellite launch that took place on Nov 21. Pyongyang state-run media claimed on Monday to have used the satellite, named Malligyong-1, to take detailed photos of the White House, the Pentagon and nearby military bases.
"The DPRK's use of overseas laborers, money launderers, cyberespionage and illicit funding continue to threaten international security and our allies in the region," said Brian Nelson, undersecretary for terrorism and financial intelligence for the Treasury Department, in a statement referring to the regime by its official name, the Democratic People's Republic of Korea.
"We will remain focused on targeting these key nodes in the DPRK's illicit revenue generation and weapons proliferation," Nelson added.
Australia, Japan and South Korea also sanctioned the same group of individuals and Kimsuky, in collaboration with U.S. authorities.
The sanctions come just a day after federal agents sanctioned and seized cryptocurrency mixer Sinbad.io for acting as the "preferred mixing service" for North Korean state hackers known as Lazarus Group. Treasury sanctioned Lazarus in September 2019 (see: US Sanctions, Seizes Sinbad Cryptomixer).
Kimsuky, also known as Thallium and APT 43, has launched attacks against foreign governments, academic institutions and major media corporations. The group in 2022 carried out a phishing campaign to extract personal information from hundreds of South Korean foreign policy experts and conduct coordinated ransomware attacks.
"They're the guys Kim Jong Un goes to after launching a missile to ask: 'What did the world think of that?'" said Michael Barnhart, a Mandiant principal analyst, earlier this year. The threat intel firm characterized the group as holding "moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S." organizations. It also spotted Kimsuky hackers stealing cryptocurrency to fund the group's operations (see: North Korean Threat Groups Steal Crypto to Pay for Hacking).
The Cybersecurity and Infrastructure Security Agency in 2020 said the group has been operational since 2012. Spear-phishing is its most common initial access method, the agency said.
Kimsuky is also known for building a rapport with targets, often sending benign emails to build trust before sending a malicious attachment or link.