South Korea, Germany issued joint alert on Kimsuky exploiting Google

By Dain Oh, The Readable
Mar. 20, 2023 7:05PM GMT+9

The intelligence agencies in South Korea and Germany issued a joint alert on Monday regarding the latest cyberattack by the North Korean state-sponsored hacking group Kimsuky. This is the second joint alert that the South Korean spy agency issued with a foreign intelligence agency, following the first warning announced in collaboration with the United States last February.

The National Intelligence Service (NIS) of South Korea and the Federal Office for the Protection of the Constitution (BfV) of Germany collectively published a cybersecurity advisory on March 20 that describes the advanced hacking techniques used by Kimsuky. In the advisory, the NIS directly linked Kimsuky to the North Korean Reconnaissance General Bureau (RGB). This is a rare occurrence because the South Korean government seldom publicly places blame on North Korea for cybercrimes.

According to the NIS, Kimsuky has recently been stealing emails coming in and out of Google by abusing the extension program Chromium. Chromium is an open-source web browser project primarily developed by Google. The hackers send malicious emails with embedded links to their targets and induce them to install a compromised extension program which operates in Chromium. Once the targets finish downloading the program, the bad actors are able to take over the targets’ emails in real time without using any login credentials.

In addition, it was discovered that Kimsuky has taken advantage of the synchronization of Google Play when they make their targets install malicious applications on mobile devices. The hackers log into a victim’s Google account on personal computers with information which was acquired in advance through phishing attacks. Even though the victim does not manage any functions on his or her mobile phone, the malicious application that was registered on Google Play as a test begins to be installed onto the targeted device due to the synchronization in the user’s account, leading to a data leak.

Kimsuky has built its notorious reputation especially by attacking think tanks in South Korea and quickly updating their tools. They are also known by different names, including Thallium, Black Banshee, and Velvet Chollima, while the U.S. government refers to the group as Hidden Cobra. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Kimsuky advanced persistent threat (APT) group has been operating since 2012, tasked by the North Korean regime with a global intelligence gathering mission.

“Considering the recent cyberattacks from Kimsuky, which are mainly conducted through spear phishing, users need to acknowledge how to identify malicious emails and follow recommendations when they receive suspicious emails,” wrote the intelligence agency in its press release. “We should pay extra attention to the newest hacking activities from North Korea in our daily lives,” asserted Baek Jong-wook, the third deputy director of NIS.

ohdain@thereadable.co

The cover image of this article was designed by Sangseon Kim.


Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.