1. Home
  2. Groups
  3. Kimsuky

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0094
Associated Groups: Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43, TA427
Contributors: Taewoo Lee, KISA; Dongwook Kim, KISA
Version: 5.0
Created: 26 August 2019
Last Modified: 10 October 2024

Associated Group Descriptions

Name Description
Black Banshee

[2][3]
Velvet Chollima

[10][11][3]
Emerald Sleet

[12][6]
THALLIUM

[2][3][5][6]
APT43

[5][6]
TA427

[6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 中间人攻击

Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.[4]
Enterprise T1546 .001 事件触发执行: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[13]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.[10][4][7][14]
Enterprise T1005 从本地系统获取数据

Kimsuky has collected Office, PDF, and HWP documents from its victims.[13][14]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Kimsuky has disguised services to appear as benign software or related to operating system functions.[4]
.005 伪装: Match Legitimate Name or Location

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.[15]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

Kimsuky has used pass the hash for authentication to remote access software used in C2.[4]
Enterprise T1598 信息钓鱼

Kimsuky has used tailored spearphishing emails to gather victim information including contat lists to identify additional targets.[5]
.003 Spearphishing Link

Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.[16][3][17][6]
Enterprise T1112 修改注册表

Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.[4][18][14][17]
Enterprise T1534 内部鱼叉式钓鱼

Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.[17]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Kimsuky has created new services for persistence.[13][4]
Enterprise T1136 .001 创建账户: Local Account

Kimsuky has created accounts with net user.[17]
Enterprise T1190 利用公开应用程序漏洞

Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.[17]
Enterprise T1620 反射性代码加载

Kimsuky has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DLL into memory.[5]
Enterprise T1140 反混淆/解码文件或信息

Kimsuky has decoded malicious VBScripts using Base64.[14]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key.[13][4][18][14][17]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.[1][4][14][17][5]
.003 命令与脚本解释器: Windows Command Shell

Kimsuky has executed Windows commands by using cmd and running batch scripts.[14][17]
.005 命令与脚本解释器: Visual Basic

Kimsuky has used Visual Basic to download malicious payloads.[11][16][18][14] Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.[14]
.006 命令与脚本解释器: Python

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.[4][17]
.007 命令与脚本解释器: JavaScript

Kimsuky has used JScript for logging and downloading additional tools.[16][4]
Enterprise T1584 .001 基础设施妥协: Domains

Kimsuky has compromised legitimate sites and used them to distribute malware.[17][5]
Enterprise T1133 外部远程服务

Kimsuky has used RDP to establish persistence.[4]
Enterprise T1111 多因素身份验证拦截

Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.[17]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.[13][14]
.004 妨碍防御: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.[13]
Enterprise T1071 .001 应用层协议: Web Protocols

Kimsuky has used HTTP GET and POST requests for C2.[14]
.002 应用层协议: File Transfer Protocols

Kimsuky has used FTP to download additional malware to the target machine.[16]
.003 应用层协议: Mail Protocols

Kimsuky has used e-mail to send exfiltrated data to C2 servers.[4]
Enterprise T1585 .001 建立账户: Social Media Accounts

Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.[17]
.002 建立账户: Email Accounts

Kimsuky has created email accounts for phishing operations.[17][5][6]
Enterprise T1587 开发能力

Kimsuky created and used a mailing toolkit to use in spearphishing attacks.[16]
.001 Malware

Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.[17][14][5]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Kimsuky has used QuickZip to archive stolen files before exfiltration.[14]
.003 归档收集数据: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.[13]
Enterprise T1594 搜索受害者拥有的网站

Kimsuky has searched for information on the target company's website.[17]
Enterprise T1593 .001 搜索开放网站/域: Social Media

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.[3]
.002 搜索开放网站/域: Search Engines

Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.[17]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Kimsuky has gathered credentials using Mimikatz and ProcDump.[4][7][17]
Enterprise T1591 收集受害者组织信息

Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.[17]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.[3][6]
.003 收集受害者身份信息: Employee Names

Kimsuky has collected victim employee name information.[17]
Enterprise T1074 .001 数据分段: Local Data Staging

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.[4][14]
Enterprise T1083 文件和目录发现

Kimsuky has the ability to enumerate all files and directories on an infected system.[13][14][17]
Enterprise T1608 .001 暂存能力: Upload Malware

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.[14][5]
Enterprise T1078 .003 有效账户: Local Accounts

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.[7]
Enterprise T1505 .003 服务器软件组件: Web Shell

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.[4]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Kimsuky has used tools that are capable of obtaining credentials from saved mail.[7]
Enterprise T1012 查询注册表

Kimsuky has obtained specific Registry keys and values on a compromised host.[14]
Enterprise T1176 浏览器扩展

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[10][7]
Enterprise T1027 混淆文件或信息

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[11][16] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[14]
.002 Software Packing

Kimsuky has packed malware with UPX.[3]
Enterprise T1204 .001 用户执行: Malicious Link

Kimsuky has lured victims into clicking malicious links.[17]
.002 用户执行: Malicious File

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[11][16][4][2][3][14]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.[17]
.003 电子邮件收集: Email Forwarding Rule

Kimsuky has set auto-forward rules on victim's e-mail accounts.[4]
Enterprise T1070 .004 移除指标: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.[13][14][17]
.006 移除指标: Timestomp

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[2]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Kimsuky has used mshta.exe to run malicious scripts on the system.[1][4][18][17]
.010 系统二进制代理执行: Regsvr32

Kimsuky has executed malware with regsvr32s.[17]
.011 系统二进制代理执行: Rundll32

Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim's network.[14]
Enterprise T1082 系统信息发现

Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.[13][14]
Enterprise T1007 系统服务发现

Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.[14]
Enterprise T1016 系统网络配置发现

Kimsuky has used ipconfig/all and web beacons sent via email to gather network configuration information.[14][6]
Enterprise T1040 网络嗅探

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[4][7]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Kimsuky has used Blogspot pages for C2.[14]
Enterprise T1583 获取基础设施

Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.[5]
.001 Domains

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.[11][19][4][2][3][17][5]
.004 Server

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.[17]
.006 Web Services

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.[14]
Enterprise T1588 .002 获取能力: Tool

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.[7][14][5]
.005 获取能力: Exploits

Kimsuky has obtained exploit code for various CVEs.[17]
Enterprise T1657 财务窃取

Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.[5]
Enterprise T1586 .002 账号妥协: Email Accounts

Kimsuky has compromised email accounts to send spearphishing e-mails.[16][3]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

Kimsuky has added accounts to specific groups with net localgroup.[17]
Enterprise T1518 .001 软件发现: Security Software Discovery

Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.[17]
Enterprise T1105 输入工具传输

Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.[18][14]
Enterprise T1056 .001 输入捕获: Keylogging

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.[1][13][4][7][14][17]
Enterprise T1057 进程发现

Kimsuky can gather a list of all processes running on a victim's machine.[14]
Enterprise T1055 进程注入

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[13]
.012 Process Hollowing

Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.[14]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Kimsuky has used RDP for direct remote point-and-click access.[7]
Enterprise T1219 远程访问软件

Kimsuky has used a modified TeamViewer client as a command and control channel.[13][18]
Enterprise T1041 通过C2信道渗出

Kimsuky has exfiltrated data over its C2 channel.[13][14]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.[14]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[10][13][11][16][2][3][14][17]
.002 钓鱼: Spearphishing Link

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[1][7][17]
Enterprise T1564 .002 隐藏伪装: Hidden Users

Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.[17]
.003 隐藏伪装: Hidden Window

Kimsuky has used an information gathering module that will hide an AV software window from the victim.[14]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Kimsuky has downloaded additional malware with scheduled tasks.[17]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Kimsuky has signed files with the name EGIS CO,. Ltd..[11]

Software

ID Name References Techniques
S1025 Amadey [5] 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 混淆文件或信息, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 通过C2信道渗出, 颠覆信任控制: Mark-of-the-Web Bypass
S0622 AppleSeed [3][17] 从可移动介质获取数据, 从本地系统获取数据, 伪装, 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: JavaScript, 命令与脚本解释器: PowerShell, 回退信道, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 归档收集数据: Archive via Utility, 数据传输大小限制, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统时间发现, 系统网络配置发现, 自动化收集, 访问令牌操控, 输入捕获: Keylogging, 进程发现, 通过C2信道渗出, 通过网络服务渗出, 钓鱼: Spearphishing Attachment
S0414 BabyShark [4][2][18][5] 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 数据编码: Standard Encoding, 文件和目录发现, 查询注册表, 移除指标: File Deletion, 系统二进制代理执行: Mshta, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 预定任务/作业: Scheduled Task
S0252 Brave Prince [14][5] 妨碍防御: Disable or Modify Tools, 文件和目录发现, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 查询注册表, 系统信息发现, 系统网络配置发现, 进程发现
S0527 CSPY Downloader [2] 伪装: Masquerade Task or Service, 修改注册表, 应用层协议: Web Protocols, 混淆文件或信息: Software Packing, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 移除指标: File Deletion, 移除指标, 虚拟化/沙盒规避: System Checks, 输入工具传输, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0032 gh0st RAT [5] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0249 Gold Dragon [14][5] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 查询注册表, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 输入工具传输, 进程发现
S0526 KGH_SPY [2] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 启动或登录初始化脚本: Logon Script (Windows), 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 电子邮件收集: Local Email Collection, 系统信息发现, 软件发现, 输入工具传输, 输入捕获: Keylogging, 通过C2信道渗出
S0002 Mimikatz [7][17][5] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0353 NOKKI [18] 伪装: Match Legitimate Name or Location, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 数据分段: Local Data Staging, 混淆文件或信息, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 输入捕获: Credential API Hooking
S0029 PsExec [7] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0262 QuasarRAT [5] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0111 schtasks [2][17] 预定任务/作业: Scheduled Task

References

  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  2. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  3. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  4. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  5. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  6. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
  7. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  8. ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
  9. AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
  10. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  1. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  4. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  5. Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.
  6. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  7. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  8. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  9. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.