Nation-State Actor

Kimsuky

North Korea • Active since 2012

Kimsuky is North Korea's intelligence-gathering hacking team. They target experts on North Korea—professors, journalists, government analysts—to steal information about foreign policy and nuclear negotiations. They're masters of social engineering, often impersonating trusted contacts or creating fake personas to build relationships before attacking.

Overview

Kimsuky is a North Korean threat group focused on intelligence collection targeting think tanks, academics, journalists, and government officials with expertise on Korean Peninsula issues. They are known for extensive social engineering and highly personalized spear-phishing campaigns.

Also Known As

Velvet Chollima, Black Banshee, Emerald Sleet, THALLIUM, APT43

Target Industries

Think tanks, Academia, Government, Media, Defense, Nuclear policy organizations

Target Regions

South Korea, United States, Japan, Europe

Is your business exposed?

Tactics, Techniques & Procedures

  • Highly targeted spear-phishing
  • Credential harvesting via fake login pages
  • Long-term persona development and social engineering
  • Impersonating journalists and researchers
  • Exploiting Korean-language malicious documents

Known Tools & Malware

BabyShark, AppleSeed, Gold Dragon, Konni, RandomQuery, Custom PowerShell scripts

Notable Campaigns

Korea Hydro & Nuclear Power Hack (2014)

Breached South Korean nuclear operator, leaking plant blueprints and employee data.

Think Tank Targeting Campaign (2023)

Ongoing campaign targeting experts on North Korean policy across multiple countries.

MITRE ATT&CK Techniques

T1566.001, T1566.002, T1598, T1059.001, T1056.001

Defense Recommendations

  1. 1.

    Verify sender identity through alternate channels before opening attachments

  2. 2.

    Train staff on sophisticated social engineering tactics

  3. 3.

    Be suspicious of unsolicited interview or collaboration requests

  4. 4.

    Use hardware security keys for authentication

  5. 5.

    Implement email authentication (DMARC, DKIM, SPF)

Related Threat Actors

Lazarus Group, Apt37, Temp Hermit

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices