The Bridewell Cyber Threat Intelligence (CTI) team is committed to providing timely and actionable intelligence for our clients and the wider cybersecurity community. Recently, we reviewed the joint cyber security advisory published on March 20th, 2023 by the German domestic intelligence agency, Bundesamt für Verfassungsschutz (BfV), and the South Korean National Intelligence Service (NIS) on the North Korean Advanced Persistent Threat (APT) group, Kimsuky. Following our in-depth analysis of the malware and its associated indicators, we are now sharing new insights specifically focused on the energy sector to help UK energy companies bolster their cyber defenses.
Background
Kimsuky, also known as Velvet Chollima, Thallium, and Black Banshee, is a North Korean APT group that has been active since at least 2012. The group's primary objective is cyber-espionage, targeting government organisations, research institutes, and think-tanks in South Korea, Japan, the United States, and Europe. Kimsuky employs a range of tactics, techniques, and procedures (TTPs) such as spear-phishing campaigns, social engineering, and custom malware to compromise its targets and exfiltrate sensitive data.Impacted Sectors with a Focus on Energy
While Kimsuky has traditionally targeted foreign government institutions and research organisations, our analysis of the joint advisory and further research suggests that the group could expand its focus to include the energy sector. The group is likely interested in gaining access to sensitive information on energy production, distribution, and technology, which could be used for strategic advantage or potentially disruptive activities.
Sharing New Indicators - Kimusky C2 Servers
In light of the potential threat to the UK energy sector, our team has identified additional indicators that can help energy companies protect against Kimsuky's attacks. Specifically, we have discovered new IP addresses associated with Kimsuky's command-and-control (C2) servers.
We Recommend that UK Energy Companies
- Monitor network traffic for connections to these newly discovered IP addresses and take appropriate action if detected.
- Update security tools, such as intrusion detection and prevention systems (IDPS), with the latest signatures and rules to detect Kimsuky's malware and network activity.
- Strengthen security awareness training for employees, emphasising the importance of vigilance against spear-phishing campaigns and social engineering tactics often used by Kimsuky.
- Conduct regular threat hunting exercises to proactively search for signs of compromise in the organisation's IT /OT environment.
Conclusion
The evolving threat landscape requires constant vigilance, and the Bridewell CTI team is dedicated to helping organisations stay ahead of emerging threats like Kimsuky. By sharing our findings and working closely with the cybersecurity community, we aim to empower CISOs in the UK energy sector to better protect their organisations against advanced cyber-espionage campaigns.
Appendix IoCs
92.38.160.]23
92.38.160.]4
92.38.135.]136
92.38.135.]166
92.38.160.]43
92.38.135.]159
92.38.135.]195
92.38.160.]10
92.38.135.]213
92.38.160.]81
58.229.169.]224
92.38.160.]155
92.38.160.]172
209.127.36.]73
92.38.160.]131
45.114.129.]146
92.38.160.]161
92.38.160.]84
92.38.160.]44
220.84.114.]158
220.123.200.]183
61.253.107.]35
92.38.135.]148
92.38.160.]140
Joint Security Advisory: https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.pdf;jsessionid=47F2F14D2091114CB755A802680599E1.intranet252?__blob=publicationFile&v=1
Register for instant alerts to Bridewell threat advisories or to speak with a member of our Cyber Threat Intelligence team.