130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Information Security Centre (ISC)
    • Why we need a ISC
    • ISC Team Structure: Roles, Functions, and Tools
      • Key Function & Role
      • Tools
      • People
      • Outsource Strategy
    • HRMC Executive Paper
  • Application Security
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Lazarus Group (APT38)
  • Kimsuky (APT43)

Was this helpful?

  1. Threat Intelligence
  2. Advanced Persistent Threat (APT) groups

North Korean APT Groups

Lazarus Group (APT38)

  • Affiliation: North Korean government's Reconnaissance General Bureau

  • Activities: Known for the WannaCry ransomware attack, Sony Pictures hack, and targeting financial institutions, media organizations, aerospace, and defense industries. Active since 2009.

  • Targets: Financial institutions, media organizations, aerospace, defense industries.

  • TTPs (Tactics, Techniques, Procedures):

    • Spear-phishing campaigns: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service

    • Use of custom malware: Malware

    • Exploiting software vulnerabilities: Exploitation for Privilege Escalation, Exploitation for Defense Evasion

    • Ransomware attacks: Ransomware

    • Lateral movement within networks: Lateral Movement

  • Notable Incidents:

    • WannaCry Ransomware Attack (2017): This global ransomware attack infected over 230,000 computers across 150 countries. It encrypted data and demanded ransom payments in Bitcoin. The attack caused significant disruption to various industries, including healthcare, finance, and transportation. Read more

    • Sony Pictures Hack (2014): Lazarus Group launched a devastating cyber attack on Sony Pictures, leading to the leak of confidential information, including unreleased films, employee data, and email communications. The attack was motivated by the planned release of the movie "The Interview." Read more

    • Operation Ghost (2013-2019): Lazarus Group targeted government networks in Europe and NATO member countries, using steganography to hide data within images. This long-running campaign involved persistent surveillance and data exfiltration. Read more

Kimsuky (APT43)

  • Affiliation: North Korean state-sponsored

  • Activities: Active since 2012, targeting diplomats, NGOs, think tanks, and experts on issues related to the Korean peninsula. Known for spear-phishing and cyber espionage.

  • Targets: Diplomats, NGOs, think tanks, experts on Korean peninsula issues.

  • TTPs:

    • Spear-phishing: Spearphishing Attachment, Spearphishing Link, Spearphishing via Service

    • Credential harvesting: Credential Dumping

    • Social engineering: Spearphishing via Service

    • Use of remote access tools (RATs): Remote Access Software

    • Data exfiltration: Exfiltration Over C2 Channel

  • Notable Incidents:

    • Campaigns against South Korean targets (2018): Kimsuky has been known to regularly target South Korean government and military entities, often through spear-phishing campaigns designed to steal sensitive information. Read more

    • South Korean Government Hack (2018): This attack targeted the South Korean government, stealing sensitive political and military information. It demonstrated Kimsuky's ability to compromise high-value targets through persistent efforts. Read more

    • South Korean Media Hack (2019): Kimsuky infiltrated South Korean media organizations, aiming to influence public opinion by spreading propaganda and misinformation. Read more

    • South Korean Defense Contractors Hack (2020): This incident involved targeting South Korean defense contractors to steal information related to military technologies, showcasing Kimsuky's focus on strategic intelligence gathering. Read more

PreviousAdvanced Persistent Threat (APT) groupsNextChinese APT Groups

Last updated 4 months ago

Was this helpful?