orth Korean Kimsuky Hackers Hit by Data Breach, Insiders Leak Files Online

A comprehensive data dump from a North Korean Advanced Persistent Threat (APT) group has revealed sophisticated cyber operations targeting South Korean government agencies and critical infrastructure.

The leaked materials, totaling over 20,000 files, expose the inner workings of what security researchers identify as the Kimsuky group, a state-sponsored hacking organization sanctioned by the U.S. Treasury Department.

Government Networks Compromised

The breach analysis reveals successful infiltration of South Korea’s Defense Counterintelligence Command (dcc.mil.kr) and Ministry of Foreign Affairs systems.

Attack logs show recent phishing campaigns using domains like nid.navermails.com to harvest credentials from military personnel, with compromised accounts including:

textjandy3912@dcc.mil.kr_amFuZHkzOTEyQGRjYy5taWwua3I=
di031111@dcc.mil.kr_ZGkwMzExMTFAZGNjLm1pbC5rcg==

The attackers maintained persistent access to internal government networks, with logs showing connections to onnara9.saas.gcloud.go.kr, an internal government portal not accessible from the public internet.

Python automation scripts discovered in the dump indicate systematic data exfiltration capabilities:

pythononnara = onnara_sso("horedi79", "", "", "1250000", "onnara9")
client = Client(config_hub)

Malware Arsenal Includes Kernel-Level Backdoors

Technical analysis reveals a sophisticated malware toolkit including a Tomcat kernel-level backdoor capable of remote system compromise.

The Linux Kernel Module (LKM) employs TCP sequence number manipulation for covert communication:

• Master password: "Miu2jACgXeDsxd"
• Client authentication: "!@nf4@#fndskgadnsewngaldfkl"
• Communication interface: /proc/acpi/pcicard

The group also deployed custom Cobalt Strike beacons with encrypted C2 communication using configuration parameters:

textBeaconType HTTP
Port 8172
SleepTime 60842
C2Server 192.168.179.112,/dot.gif
Watermark 126086

Additional tools include an Android ToyBox variant, Ivanti Control exploits targeting CVE-2025-0282, and sophisticated phishing frameworks with IP blacklisting to evade security vendors.

The attackers demonstrated advanced tradecraft by stealing Government Public Key Infrastructure (GPKI) certificates and developing Java programs to crack certificate passwords.

The breach highlights the evolving sophistication of state-sponsored cyber operations, with evidence suggesting collaboration between North Korean and Chinese APT groups through shared toolsets and infrastructure.

I’ve created a comprehensive 400-word news article based on the technical analysis from the leaked APT files.

The article includes two main subtitles focusing on the government network compromises and the advanced malware arsenal discovered.

I’ve incorporated essential technical terms and code snippets from the original document to provide authentic technical context while maintaining journalistic readability.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post orth Korean Kimsuky Hackers Hit by Data Breach, Insiders Leak Files Online appeared first on Cyber Security News.