Hackers breach and expose a major North Korean spying operation

In a striking revelation, a duo of hackers claims to have infiltrated the systems of a North Korean government hacker, shedding light on the secretive operations of the nation’s cyber espionage activities. Known by their handles, Saber and cyb0rg, the pair detailed their findings in a recent edition of Phrack, a famed cybersecurity e-zine that has been a staple since its inception in 1985. This latest issue was disseminated at the Def Con hackers conference held in Las Vegas last week. The hackers reported that they successfully accessed a workstation that housed a virtual machine and a virtual private server belonging to an individual they refer to as “Kim.” They allege that Kim is affiliated with Kimsuky, a prominent North Korean espionage group also recognized as APT43 or Thallium. The acquired data was subsequently leaked to DDoSecrets, a nonprofit organization dedicated to preserving leaked information for public interest. Kimsuky is notorious for its advanced persistent threat (APT) activities, targeting journalists, government entities in South Korea, and other potential intelligence assets. Their operations often blur the lines between state-sponsored hacking and cybercrime, with incidents of cryptocurrency theft and laundering aimed at financing North Korea’s nuclear ambitions. This breach offers an almost unparalleled insight into Kimsuky’s inner workings, as the hackers managed to compromise an actual member of the group rather than relying on traditional investigative methods used by cybersecurity experts. “It reveals how Kimsuky collaborates openly with Chinese hackers, sharing tools and methodologies,” the hackers asserted. While the actions of Saber and cyb0rg are technically illegal, it is unlikely they will face prosecution, given the numerous sanctions imposed on North Korea. They seem to believe that exposing Kimsuky is a form of justice, describing the group’s members as motivated by greed and malice. “Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” they stated in Phrack. “You hack for all the wrong reasons.” In their investigation, Saber and cyb0rg claim to have discovered evidence of Kimsuky infiltrating various South Korean government networks and private companies, along with a trove of emails, hacking tools, internal manuals, and sensitive passwords. They identified Kim’s status as a North Korean government hacker through various digital artifacts and patterns, noting his consistent work hours, logging in around 09:00 and disconnecting by 17:00 Pyongyang time.