Hackers claim to have compromised the computer of a North Korean government hacker and leaked its contents online, offering a rare window into a hacking operation by the notoriously secretive nation.
The two hackers, who go by Saber and cyb0rg, published a report about the breach in the latest issue of Phrack magazine, a legendary cybersecurity e-zine that was first published in 1985. The latest issue was distributed at the Def Con hackers conference in Las Vegas last week.
In the article, the two hackers wrote that they were able to compromise a workstation containing a virtual machine and a virtual private server belonging to the hacker, whom they call “Kim.” The hackers claim Kim works for the North Korean government espionage group known as Kimsuky, also known as APT43 and Thallium. The hackers leaked the stolen data to DDoSecrets, a nonprofit collective that stores leaked datasets in the public interest.
Kimsuky is a prolific advanced persistent threat group, or APT, widely believed to be working inside North Korea’s government, targeting journalists, government agencies in South Korea and elsewhere, and other targets that could be of interest for North Korea’s intelligence apparatus.
As is usual with North Korea, Kimsuky also conducts operations more akin to a cybercriminal group, for example stealing and laundering cryptocurrencies to fund North Korea’s nuclear weapons program.
This hack gives an almost-unprecedented look inside the operation of Kimsuky, given that the two hackers compromised one of the group’s members, rather than investigating a data breach as cybersecurity researchers and companies typically have to rely on.
“It shows a glimpse how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques,” the hackers wrote.
Obviously, what Saber and cyb0rg did is technically a crime, although they will likely never be prosecuted for it, considering North Korea is sanctioned up to its eyeballs. The two hackers clearly believe Kimsuky members deserve to be exposed and embarrassed.
“Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favour your own. You value yourself above the others: You are morally perverted,” the two wrote in Phrack. “You hack for all the wrong reasons.”
Saber and cyb0rg claim to have found evidence of Kimsuky compromising several South Korean government networks and companies, email addresses, and hacking tools used by the Kimsuky group, internal manuals, passwords, and more data.
Emails sent to the addresses allegedly belonging to the hackers, which were listed in the research, went unanswered.
The hackers wrote that they were able to identify Kim as a North Korean government hacker, thanks to “artifacts and hints” that pointed in that direction, including files configurations and domains previously attributed to the North Korean hacking group Kimsuky.
The hackers also noted Kim’s “strict office hours, always connecting at around 09:00 and disconnecting by 17:00 Pyongyang time.”
