Hacktivists Expose North Korean Hacker Group in New Operation

The latest video from @seytonic reveals a fascinating operation conducted by hacktivists against a North Korean hacker group. Two hacktivists, Saber and cyb0rg, successfully compromised the computer of a presumed member of the APT43 group, also known as Kimsuky. This group is famous for its espionage and cybercrime activities aimed at financing its operations.

The compromised computer, belonging to an individual nicknamed Kim, was fully exfiltrated, and its contents were made public. The hacktivists published a report detailing their operation and the information discovered. Kim was using a Linux distribution called Deepin, and several screenshots were revealed, probably taken by accident.

Among the most significant discoveries are evidence of ongoing espionage operations, primarily targeting South Korea. Logs show phishing attacks against South Korean military intelligence, as well as a copy of the source code for a messaging server used by the South Korean Ministry of Foreign Affairs. Additionally, there are indications that Kimsuky still maintains access to the internal systems of the South Korean government.

The complete dump also includes a copy of a VPS used by Kim to launch his attacks, along with the credentials to access it, which were still functional at the time of the report's publication. Codes for various backdoors and exploits, as well as manuals detailing their use, were also found.

Saber and cyb0rg explain that the South Korean Ministry of Unification is a regular target of Kimsuky. A brute force attempt using a custom password list was revealed, although the attack failed. The dump also shows that Kim purchased a domain on Namecheap with bitcoin, but the domain was deactivated shortly afterward due to legitimacy concerns.

Kim's browsing history, though strictly professional, revealed no embarrassing information. Details on how Saber and cyb0rg identified and infiltrated Kim's computer remain vague, probably to avoid incriminating themselves. The attribution of the computer to the Kimsuky group is based on clues and similarities in the code, as well as the fact that the computer was configured in Korean and the working hours matched those of Pyongyang.

The complete 9GB dump is available for download, but it is advised to proceed with caution. This leak and the associated report were published in the latest issue of Phrack, a hacker magazine iconic in hacker culture for decades.

To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=KfuPuZdEedU