View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 12, 2022

North Korean hackers Kimsuky impersonating researchers to speak to foreign policy experts

By pretending to be from leading think tanks, hackers from North Korea are able to speak to foreign policy experts directly.

By Claudia Glover

North Korean state-sponsored hackers have been impersonating leading researchers to aid their information-gathering activities. The cybercriminals pose as researchers from think tanks to commission reports into aspects of US, Chinese and Russian foreign policy, it has been revealed.

Kimsuky impersonates researchers to garner data for the North Korean regime. (Photo by Astrelok/Shutterstock)

Notorious North Korean hacking gang Kimsuky, also known as Thallium has been spearheading the information-gathering campaign according to researchers from Microsoft.

Kimsuky: North Korean hackers impersonate researchers to gather nuclear information

Members of Kimsuky are apparently impersonating researchers at think tanks to commission reports on areas of interest for the North Korean government from subject matter experts.

Popular issues referenced by the gang include China’s reaction in the event of a nuclear test and whether a quieter approach to North Korean aggression might be warranted.

The campaign began in January and has since been lucrative. “The attackers are having a ton of success,” said James Elliott of the Microsoft Threat Intelligence Centre (MSTIC). Speaking to Reuters, Elliott added that “the attackers have completely changed the process”.

The MSTIC has identified several North Korean experts who provided information to a Kimsuky attacker account. The researchers targeted by the gang are influential in shaping foreign policy concerning North Korea in countries around the world.

“Attackers are getting information directly from the horse’s mouth,” Elliott said. “They don’t have to sit there and make interpretations because they’re getting it directly from the expert.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

In some cases, criminals can engage with experts for months as they gather the information they need. They use spoofed emails which resemble those of research institutions.

US-based foreign affairs analyst Daniel DePetris told Reuters he received realistic emails from the gang, as though a researcher was asking him for a paper submission or comments on a draft. “They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry was legitimate,” he explained.

A few weeks after receiving that email, another hacker started to impersonate him, asking fellow researchers to look at a draft, he said. In that email the hackers were offering $300 to review a manuscript about North Korea’s nuclear programme purportedly written by DePetris, asking for recommendations for other reviewers. 

Kimsuky continues its cyberespionage activities

Kimsuky, or Thallium, has long been on the radar of Western governments. North Korea is well known for using cyber espionage gangs to circumnavigate sanctions, in an effort to source valuable information and steal millions of dollars worth of cryptocurrencies

The FBI and CISA have released warnings about the gang in the past, with Kimsuky having been active since 2012. Its favoured tactic is usually spearphishing, where gang members would gather enough intelligence about a specific, targeted individual to mine them for information or money, normally with the use of social engineering.

The gang’s most recent campaign was a widespread cyber espionage mission targeting Android phones in South Korea, Japan and the US. In October it was revealed that Kimsuky was targeting individuals and companies across the public and private sectors.

Earlier this year a breach of a South Korean nuclear research institute called the Korean Atomic Energy Research Institute (KAERI) was also revealed to have been carried out by the hackers. “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest breach,” KAERI said in a statement.

Read more: HolyGhost North Korean hackers target SMEs

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.