The Cybersecurity and Infrastructure Security Agency (CISA),  the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF) identified tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA

• October 27, 2020: Joint CISA-CMNF-FBI Cybersecurity Advisory: North Korean Advanced Persistent Threat Focus: Kimsuky

Kimsuky is engaged in ongoing cyber operations against worldwide targets to gain intelligence for North Korea, specifically on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. CISA, FBI, and CNMF recommend individuals and organizations within commercial sector businesses increase their defenses and adopt a heightened state of awareness.

Michael Rezek, VP Cybersecurity Strategy, Accedian, notes, "Nation State Threat Actors (NTSA) are generally well funded and organized. Similar to a typical enterprise business operation model, these groups often consist of teams of actors that are each responsible for a specific role, such as acquiring infrastructure or analyzing data, but ultimately, they all work towards the same goal: conducting strategic cyber espionage campaigns."

Rezek adds, "As we continue to anticipate more NTSAs to target government networks and critical infrastructure, it'll be important to know how to defend networks against bad actors:

• Leveraging behavior based Threat Detection which looks at Tactics Techniques & Procedures (TTP) along with signatures, government agencies actually have the opportunity to detect these attacks in the early reconnaissance stage before the attack actually occurs, allowing them to take preventative action. TTP centric tools that leverage Network Traffic Analysis, for example, offer threat detection and can provide government organizations with the visibility needed to detect malicious activity. 
• Leveraging the Killchain or even the MITRE ATT&CK™model, which looks at threat risk associated with certain detectable behaviors, allows government organizations to defend against attacks regardless of whether they change their signature, given that there are only a limited number of network protocols that can be exploited to carry out an attack. 

The information contained in the alerts and MARs listed is the result of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the Federal Bureau of Investigation to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government.

Each MAR includes malware descriptions, suggested response actions, and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch, and give the activity the highest priority for enhanced mitigation. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.

For a listing previous CISA alerts and Malware Analysis Reports (MARs) on North Korea’s malicious cyber activities, click here.