North Korean hackers target the South’s think tanks through blog posts
A North Korean hacking group has been targeting think tanks in South Korea through blog posts riddled with malware. The new campaign dates back to June 2021 and consists of a state-sponsored advanced persistent threat group attempting to plant surveillance and theft-based malware on South Korean victim machines. Researchers from Cisco Talos attributed the attacks to Kimsuky APT, also referred to as Thallium and Black Banshee. The targeted groups are think tanks whose research pertains to political, diplomatic, and military topics related to the US, Russia, North Korea, and China. The APT specifically targets geopolitical and aerospace organizations.
The APT Kimsuky has been active since at least 2012, according to researchers. The Cybersecurity and Infrastructure Security Agency issued an advisory on the APT in 2020, highlighting that the group is tasked by the North Korean government with gathering intelligence. The APT has previously targeted organizations in South Korea, Japan, and the US. The APT uses compensation forms, questionnaires, and research documents attached to emails as phishing lures.