North Korean Hacker Group Kimsuky Continues to Target South Korean Government Agencies
APT37, APT38 Also Launching Wide-Scale Cyberattacks
Could a Nation-State Be Behind the SKT Hacking Incident?

North Korean hacker groups have carried out cyberattacks targeting internal systems of South Korean government agencies. A wave of sophisticated advanced persistent threat (APT) attacks, focused on software supply chains, has emerged, raising red flags across the country’s cybersecurity landscape.

Evidence of Kimsuky’s Cyberattacks

On August 8 (local time), U.S. hacking magazine Phrack cited a report titled “APT Down: The North Korea Files” to reveal that Kimsuky, a hacker group under North Korea’s Reconnaissance General Bureau, has been carrying out simultaneous attacks on South Korean government agencies and telecom companies. The report, co-authored by white-hat hackers “Saber” and “cyb0rg,” was disclosed by the nonprofit DDoSecrets at the DEF CON hacking conference held in San Francisco from August 7 to 10.

According to the report, in June a large-scale data dump—containing account credentials and keys for internal systems of the Ministry of the Interior and Safety, the Ministry of Foreign Affairs, the Defense Counterintelligence Command, and domestic telecom operators—was discovered. The dump is said to have been leaked from virtual machines used by Kimsuky hackers and virtual private servers deployed for spear-phishing campaigns. Portions of the dump released on the dark web included backdoors and attack tool source code, as well as sensitive information believed to have been stolen from South Korean government agencies. Major government email accounts and platforms were exposed, and evidence suggested that the attackers had accessed government sites as recently as this year.

Additional findings pointed to login attempts and phishing activity targeting the Defense Counterintelligence Command, the Ministry of Foreign Affairs, and the Supreme Prosecutors’ Office. In the case of the Ministry of the Interior and Safety, the government’s internal “On-Nara” system was attacked, while the Ministry of Foreign Affairs saw its email platform targeted. The attackers also hacked into a company providing security solutions to a domestic telecom operator to infiltrate its internal network, and stole authentication certificates and private keys from another telecom operator’s remote access service.

North Korean State-Backed Groups Continue Indiscriminate APT Attacks

North Korea’s hacking operations are causing widespread disruption beyond government agencies, targeting various sectors of South Korean society. These groups are launching sophisticated cyberattacks that infiltrate the software development and distribution process itself, aiming at domestic corporations, institutions, and open-source developer communities. A notable example is the APT37 (Reaper) “RoKRAT” variant attack, which uses files disguised as Windows shortcut (.lnk) documents to trigger infections. Although a .lnk file appears to be a simple document, it is actually a Windows-specific format capable of embedding auto-execution commands. When a user clicks the file, the attacker’s embedded command runs instantly.

The attackers further exploit PowerShell, Windows’ built-in automation tool, to execute external commands, and employ steganography—concealing malicious code inside image files. This method hides signs of malicious activity, making it extremely difficult to detect infections. Once inside, attackers use remote code execution (RCE) to download additional malware and carry out classic information-stealing APT functions, such as keylogging, screen capturing, and file exfiltration from the compromised system.

Lazarus Group, known as APT38, has also been leveraging the open-source development ecosystem for infiltration attempts. They upload malicious packages disguised as legitimate libraries to platforms like GitHub or package repositories. Once installed, these packages infect the developer’s device. GitHub, a global open-source platform for storing and collaborating on source code, can act as a springboard: infecting a single developer can lead to further breaches into an entire community or an organization’s internal network.

Could North Korea Be Behind the SKT Hacking Incident?

Some analysts believe North Korea may be behind this year’s high-profile cyberattack on SK Telecom (SKT). A cybersecurity expert noted that hacking groups focused on return on investment (ROI) are unlikely to conduct long-term attacks on large corporations like SKT unless state sponsorship is involved. Given that North Korean hackers previously infiltrated four SK Group affiliates, including SK Networks Service, for over a year starting in July 2014—installing a large volume of malware—suspicions are well-founded.

However, there is also a theory that China may have been responsible. This view stems from the strikingly similar LG Uplus hack, which was attributed to Chinese actors. According to The Washington Post, in February last year, Chinese cybersecurity company i-Soon—under contract with China’s Ministry of Public Security (MPS)—hacked 3 terabytes (TB) of LG Uplus call records over eight years. i-Soon is known as an APT specialist serving the MPS. In March, the U.S. State Department indicted eight i-Soon employees, revealing that China’s MPS and Ministry of State Security (MSS) use a broad network of private companies and contractors, including i-Soon, for hacking operations.

Global cybersecurity firms have also pointed to repeated Chinese involvement in attacks on South Korean telecom providers. Last month, U.S. cybersecurity company Trend Micro reported that China’s APT group Red Menshen carried out BPFdoor attacks on domestic telecoms in July and December of last year. Taiwanese firm TeamT5 similarly reported that a China-linked APT group exploited vulnerabilities in Ivanti VPN devices starting in late March to target telecom and other industries in 12 countries, including South Korea. The BPFdoor malware used in these attacks is also attributed to Red Menshen.