A major cybersecurity event is unfolding as the notorious North Korean state-backed hacking group, Kimsuky, is allegedly facing a significant data breach of its own. A data trove, reportedly containing an astounding 8.9 GB of Kimsuky’s internal data, has been stolen and exposed by a group of hackers operating under the monikers “Saber” and “cyb0rg.”
The breach, which has been reported by multiple cybersecurity news outlets, appears to be an act of retaliation against Kimsuky’s long history of politically motivated cyberattacks and financial cybercrime. The exposed data, which has been added to the Distributed Denial of Secrets site, is said to include a wide range of sensitive information. This reportedly includes phishing logs with email accounts from South Korea’s Defense Counterintelligence Command, the entire source code for the South Korean Ministry of Foreign Affairs’ email platform, and a number of targeted domains.
Further analysis of the leaked data by security researchers may provide unprecedented insights into Kimsuky’s operational infrastructure and tactics. The dump allegedly contains Kimsuky’s Cobalt Strike loaders, Onnara proxy modules, and Bash history with SSH connections to their internal systems. This kind of exposure could significantly disrupt Kimsuky’s operations, which have been active since at least 2012.
Kimsuky, also known as Velvet Chollima, Black Banshee, and APT43, is administratively subordinate to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence service. The group has a well-documented history of targeting government agencies, think tanks, academic institutions, and defense contractors, primarily in South Korea, but also in the United States, Japan, and other countries. Their primary mission is to steal data and gather geopolitical intelligence to advance North Korea’s military and economic objectives. The group is particularly known for its sophisticated spear-phishing campaigns, where they often impersonate journalists or experts to trick victims into downloading malware.
While security researchers are still working to verify the authenticity of the leaked data, if confirmed, this incident would represent a rare instance of a state-sponsored hacking group being compromised in a public manner. Such an event could prove to be a major setback for Kimsuky and offer cybersecurity experts a unique opportunity to enhance defenses against their evolving and persistent threat.
