Hackers claim to have hacked into the computer of a North Korean government hacker and published its contents online, providing a rare glimpse into the hacking activities of this notoriously secretive country.
Two hackers known by the pseudonyms Saber and cyb0rg published a report on the hack in the latest issue of Phrack, a legendary electronic publication on cybersecurity that first appeared in 1985. The latest issue was distributed at the Def Con hacker conference in Las Vegas last week.
In the article, two hackers wrote that they managed to hack into a workstation that hosted a virtual machine and a virtual private server belonging to a hacker they refer to as “Kim.” The hackers claim that Kim works for a North Korean government espionage group known as Kimsuky, also known as APT43 and Thallium. The hackers handed over the stolen data to DDoSecrets, a non-profit organization that stores stolen data sets in the public interest.
Kimsuky is an active group engaged in advanced persistent threats (APT) and is believed to be working for the North Korean government. It targets journalists and government agencies in South Korea and other countries, as well as other targets that may be of interest to North Korean intelligence services.
As is usually the case with North Korea, Kimsuky also conducts operations that are more reminiscent of the activities of a cybercriminal group — for example, stealing and laundering cryptocurrencies to finance North Korea’s nuclear weapons program.
This hack provides an almost unprecedented insight into Kimsuky’s activities, given that two hackers hacked one of the group’s members rather than investigating a data leak, as cybersecurity researchers and companies usually do.
“This shows how openly Kimsuky cooperates with Chinese [government hackers] and shares its tools and techniques with them,” the hackers wrote.
Obviously, what Saber and cyb0rg did is technically a crime, although they will probably never be held accountable for it, given that North Korea is under severe sanctions. These two hackers clearly believe that the members of Kimsuky deserve to be exposed and shamed.
“Kimsuki, you are not a hacker. You are driven by financial greed, seeking to enrich your leaders and implement their political plans. You steal from others and favor your own. You place yourself above others: you are morally corrupt,” they wrote in Phrack. “You hack for the wrong reasons.”
Saber and cyb0rg claim to have found evidence that Kimsuky hacked several South Korean government networks and companies, email addresses and hacking tools used by the Kimsuky group, internal manuals, passwords, and other data.
No response was received to emails sent to addresses allegedly belonging to hackers and listed in the study.
The hackers wrote that they were able to identify Kim as a North Korean government hacker thanks to “artifacts and clues” that pointed to this, including file configurations and domains previously attributed to the North Korean hacking group Kimsuky.
The hackers also noted Kim’s “strict working hours, always logging on at around 9 a.m. and logging off at 5 p.m. Pyongyang time.”
