top of page

Kimsuky Group Targets Gmail Accounts of Geopolitical Experts

The German and South Korean governments have recently put out a joint advisory warning about the dangers of cyber attacks by the threat actor known as Kimsuky. Kimsuky, who is also known by the names Black Banshee, Thallium, and Velvet Chollima, is a subordinate element within North Korea's Reconnaissance General Bureau and is known for collecting strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests. The primary targets of Kimsuky's attacks are entities in the U.S. and South Korea, particularly those working within the government, military, manufacturing, academic, and think tank organizations. Recent attacks orchestrated by Kimsuky suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn. However, the use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, who has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue. The joint advisory from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS) notes that the intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns. Google-owned threat intelligence firm Mandiant disclosed last year that "this threat actor's activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea."


bottom of page