Hackers say they have breached the computer of a North Korean government-linked operative, publishing its contents online in what they describe as an unprecedented look inside the country’s cyber espionage operations.
The two hackers, known as Saber and cyb0rg, detailed the breach in the latest issue of Phrack, a long-running cybersecurity e-zine, released last week at the Def Con conference in Las Vegas. They claim the target, identified only as “Kim,” is a member of Kimsuky, also known as APT43 and Thallium, a state-backed hacking unit accused of targeting journalists, government agencies, and financial institutions.
The attackers say they infiltrated Kim’s workstation, which contained a virtual machine and virtual private server, then leaked the data to DDoSecrets, a nonprofit that archives datasets in the public interest. “It shows a glimpse how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques,” the hackers wrote.
Kimsuky is believed to operate under North Korea’s intelligence services, combining espionage with criminal operations, including stealing and laundering cryptocurrency to help fund the country’s nuclear program. Typically, researchers study the group’s activity from the outside, but this breach involved direct access to an operative’s system.
Saber and cyb0rg said the files contained evidence of compromises at South Korean government networks and companies, hacking tools, internal manuals, passwords, and email addresses. They identified Kim as a North Korean government hacker based on “artifacts and hints”, including configuration files and domains tied to Kimsuky, and noted his “strict office hours, always connecting at around 09:00 and disconnecting by 17:00 Pyongyang time.”
“Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favour your own. You value yourself above the others: You are morally perverted,” they wrote in Phrack. “You hack for all the wrong reasons.”
Emails sent to addresses allegedly linked to the operative went unanswered. While hacking into Kimsuky’s systems is illegal, prosecution is unlikely given North Korea’s heavy international sanctions.
