The recent identification of North Korea’s Reconnaissance General Bureau-affiliated hacking group Kimsuky as the source of CJ OliveNetworks’ digital signature file leak has prompted experts to advise heightened security measures across the manufacturing, defense, finance, and information technology (IT) sectors.
Kimsuky is known for employing sophisticated tactics, including spear phishing attacks targeting specific individuals within organizations and distributing malware through deceptive work emails.
On Friday, security industry sources revealed that malicious files, suspected to be of North Korean origin and shared by Chinese security firm RedDrip Team on X (formerly Twitter), contained digital signature files from CJ OliveNetworks.
Reports indicate Kimsuky planned to exploit these stolen certificates to attack the Korea Institute of Machinery and Materials (KIMM), a government-funded research institution. The institute confirmed that its web development partner, Plan I, detected suspicious activity.
The Korea Internet & Security Agency (KISA) identified this threat and promptly alerted CJ OliveNetworks, which swiftly revoked the compromised certificates. The KIMM also initiated a comprehensive cybersecurity audit.
A security expert cautioned that while it’s challenging to definitively identify the attacker, as other hacking groups might impersonate Kimsuky to cover their tracks, North Korean attacks continue to target domestic manufacturing and defense sectors. The expert added that with AI tools like ChatGPT, attackers are improving their communication style, making it harder for other industries to feel secure.
Genians’ analysis of Kimsuky’s BlueShark threat tactics revealed that the group conducted spear phishing campaigns early last year, distributing attachments disguised as lecture requests, special lecture materials, and interview questionnaires to domestic companies.
Opening these bait files, typically with docx or pdf extensions, leads users to web pages that redirect them to phishing sites. In documented cases, fake Google account login pages were used. Once users log in, they unknowingly access malicious files hidden in a fake Google Drive.
The security expert explained that malware can infiltrate the internal network by compromising a specific administrator’s desktop PC, enabling extensive lateral attacks across connected systems.
Genians also reported that Kimsuky sends phishing emails impersonating portal email security personnel or public institution documents. They sometimes use fake sender addresses with South Korean domains.
These phishing emails can distribute malware through attached compressed files or trick users into revealing administrator account information through fake login prompts.
To mitigate these threats, corporate employees should avoid accessing unverified uniform resource locators (URLs) or opening suspicious attachments. Regular updates of work software like Microsoft Office and operating systems are crucial to minimize vulnerabilities.
The expert emphasized that security patches addressing critical vulnerabilities should be applied immediately to maintain robust cybersecurity defenses.