Exclusive Leak Reveals Inside Workings of North Korean Government Hacking Group Kimsuky in Rare Cybersecurity Breach
In an extraordinary revelation, two unidentified hackers, known as Saber and cyb0rg, have claimed to have infiltrated the digital infrastructure of a North Korean government cyber operative and publicly disclosed the findings. The hackers detailed their exploits in a recent issue of Phrack magazine, a revered cybersecurity publication with roots dating back to 1985.
The latest edition of Phrack was distributed at the Def Con conference held in Las Vegas last week. In this article, the hackers describe gaining access to a workstation hosting a virtual machine and a virtual private server attributed to an individual they call “Kim.” According to the duo, Kim is believed to be a member of the North Korean government espionage group commonly known as Kimsuky or APT43, also recognized as Thallium.
The hackers assert that they leaked the stolen data to DDoSecrets, a nonprofit organization dedicated to safeguarding leaked datasets in the public interest. Kimsuky is a notorious advanced persistent threat group (APT) often linked to North Korea’s government and known for targeting journalists, South Korean government agencies, and other potential intelligence assets.
In addition to traditional espionage activities, Kimsuky also engages in cybercriminal operations such as cryptocurrency theft and laundering, funds believed to support North Korea’s nuclear weapons program. This breach provides an unusual glimpse into the inner workings of Kimsuky, as the hackers compromised one of its members instead of investigating a data breach, as is typically the case for cybersecurity researchers and corporations.
The hackers contend that their findings reveal collaboration between Kimsuky and Chinese government hackers, stating, “It showcases how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques.”
While the actions of Saber and cyb0rg may be technically illegal, it is unlikely they will face prosecution given North Korea’s extensive sanctions. The hackers express a clear intent to expose and shame Kimsuky members, penning in Phrack, “Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favor your own. You value yourself above the others: You are morally perverted. You hack for all the wrong reasons.”
Saber and cyb0rg claim to have uncovered evidence of Kimsuky’s involvement in compromising several South Korean government networks, companies, email addresses, and hacking tools used by the group, as well as internal manuals, passwords, and additional data. However, attempts to contact the alleged hackers through emails listed in the research have so far been unsuccessful.
The hackers assert that they identified Kim as a North Korean government operative based on various “artifacts and hints,” including file configurations and domains previously associated with the North Korean hacking group Kimsuky. Moreover, the hacker’s “strict office hours, always connecting at around 9:00 AM and disconnecting by 5:00 PM Pyongyang time” were also indicative of their affiliation.
