Hackers going by the handles Saber and cyb0rg published an article in the latest issue of Phrack (the legendary e-zine that has been published since 1985). The anniversary issue marking Phrack’s 40th year was distributed at the DEF CON conference. In the piece, they described compromising a member of the North Korean espionage hacking group Kimsuky (aka APT43 and Thallium).
The authors of the article claim they were able to compromise a workstation with a virtual machine and a VPS belonging to a North Korean hacker they refer to as “Kim.” This allowed them to compromise nearly 20,000 records and the Chrome and Brave browser histories belonging to the attacker, steal operational manuals for malware, passwords and email addresses, as well as credentials for various tools.
The hackers handed over all the stolen data to representatives of the activist group DDoSecrets (Distributed Denial of Secrets), who present themselves as “transparency advocates” and index and store data leaks in the public interest.
Kimsuky is a well-known APT group believed to be linked to the North Korean government. It most often targets journalists, activists, and government agencies in South Korea and other countries, as well as other targets that may be of interest to the DPRK’s intelligence apparatus. Like many other North Korean hacking groups, Kimsuky also conducts other operations, namely stealing and laundering cryptocurrency.
The hackers claim that compromising a member of the group is a virtually unprecedented opportunity to see Kimsuky’s operations from the inside.
“This shows how openly Kimsuky collaborates with Chinese [government hackers] and shares its tools and techniques,” the authors write.
It is worth noting that what Saber and cyb0rg did is technically a crime, although they are unlikely to ever be prosecuted for this breach. At the same time, the hackers themselves believe that members of Kimsuky deserve to be exposed and shamed.
“Kimsuky, you are not hackers. You are driven by greed, by a desire to enrich your leaders and advance their political agenda. You steal from others and give to your own. You put yourselves above others. You are morally corrupt,” the article in Phrack says. “You engage in hacking for all the wrong reasons.”
In the publication, Saber and cyb0rg claim that in the compromised systems they found evidence of the Kimsuky group breaching several South Korean government networks and companies, as well as email addresses and hacking tools used by the group, internal manuals, passwords, and other data.
“Some of these tools are probably already familiar to the community: you’ve seen their scans and detected artifacts and implants on the server side,” write Saber and cyb0rg. “Now you’ll also see the client side, documentation, passwords, source code, and command files.”
The authors of the article said they were able to identify “Kim” as a North Korean hacker based on various “artifacts and clues,” including file configurations and domains that had previously been linked to Kimsuky operations.
As Trend Micro specialists who analyzed the leak have already noted, this will likely help cybersecurity companies better understand the capabilities and goals of “government” hackers.
“The disclosed information is very important for understanding the activities of government-linked threat actors. It adds new pieces to the puzzle of Chinese cyber operations and sheds light on the depth of the attackers’ operations, as well as their day-to-day activities and areas of interest,” the experts say.
However, Trend Micro noted that the evidence suggests the hacked hacker is not necessarily linked to North Korea. For example, he apparently speaks Chinese rather than Korean. His browser history, bookmarks, and the list of websites he visited also point more toward ties with China.
Additionally, the attacker had a number of tools (for example, client-side exploit code for the Ivanti backdoor) that are widely used by Chinese APT groups, such as UNC5221.
“The attacker is likely linked to China and operates against relevant targets—Taiwan, Japan, and South Korea. However, they are aware of Kimsuky and may be collaborating with them, or trying to imitate their behavior to confuse defenders,” the experts suggest.