Hackers Breach and Expose a Major North Korean Spying Operation

A shocking revelation has emerged from the world of cybersecurity, as hackers have claimed to have compromised the computer of a North Korean government hacker and leaked its contents online. The two hackers, who go by Saber and cyb0rg, published their report in the latest issue of Phrack magazine, a legendary cybersecurity e-zine that was first published in 1985.

The breach, which took place at the Def Con hackers conference in Las Vegas last week, has offered a rare glimpse into a hacking operation by the notoriously secretive nation. According to Saber and cyb0rg, they were able to compromise a workstation containing a virtual machine and a virtual private server belonging to the hacker, whom they call “Kim.”

The hackers claim Kim works for the North Korean government espionage group known as Kimsuky, also known as APT43 and Thallium. This group is widely believed to be working inside North Korea's government, targeting journalists and government agencies in South Korea and elsewhere, as well as other targets that could be of interest for North Korea's intelligence apparatus.

As part of the breach, Kimsuky members were found to conduct operations more akin to a cybercriminal group – stealing and laundering cryptocurrencies to fund North Korea's nuclear weapons program. This hack gives an almost-unprecedented look inside the operation of Kimsuky, given that Saber and cyb0rg compromised one of the group's members, rather than investigating a data breach as cybersecurity researchers and companies typically have to rely on.

“It shows a glimpse how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques,” the hackers wrote. Obviously, what Saber and cyb0rg did is technically a crime, although they will likely never be prosecuted for it, considering North Korea is sanctioned up to its eyeballs.

The two hackers clearly believe Kimsuky members deserve to be exposed and embarrassed. “Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favour your own. You value yourself above the others: You are morally perverted,” the two wrote in Phrack.

“You hack for all the wrong reasons.” Saber and cyb0rg claim to have found evidence of Kimsuky compromising several South Korean government networks and companies, email addresses, and hacking tools used by the Kimsuky group, internal manuals, passwords, and more data. Emails sent to the addresses allegedly belonging to the hackers, which were listed in the research, went unanswered.

The hackers wrote that they were able to identify Kim as a North Korean government hacker, thanks to “artifacts and hints” that pointed in that direction, including files configurations and domains previously attributed to the North Korean hacking group Kimsuky. The hackers also noted Kim's "strict office hours, always connecting at around 09:00 and disconnecting by 17:00 Pyongyang time."

The Significance of this Breach

This hack gives a rare glimpse into the inner workings of Kimsuky, one of the most secretive and elusive APT groups in the world. It highlights the level of sophistication and coordination between North Korean government hackers and their Chinese counterparts.

It also underscores the threat that Kimsuky poses to global cybersecurity, as well as the need for greater awareness and cooperation between governments and cybersecurity researchers to combat this type of threat.

The Future of Cybersecurity

This breach serves as a reminder that the world of cybersecurity is constantly evolving, and that new threats are emerging all the time. It highlights the importance of staying vigilant and proactive in protecting ourselves against these threats.

As we move forward, it's essential to continue to develop our skills and knowledge in this area, as well as to stay informed about the latest developments and trends in cybersecurity.