The North Korean state-sponsored hackers known as Kimsuky has reportedly suffered a data breach after two hackers, who describe themselves as the opposite of Kimsuky’s values, stole the group’s data and leaked it publicly online.
The two hackers, named ‘Saber’ and ‘cyb0rg,’ cited ethical reasons for their actions, saying Kimsuky is “hacking for all the wrong reasons,” claiming they’re driven by political agendas and follow regime orders instead of practicing the art of hacking independently.
“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” reads the hackers’ address to Kimsuky published in the latest issue of Phrack, which was distributed at the DEF CON 33 conference.
“You steal from others and favour your own. You value yourself above the others: You are morally perverted.”
The hackers dumped a portion of Kimsuky’s backend, exposing both their tooling and some of their stolen data that could provide insight into unknown campaigns and undocumented compromises.
The 8.9GB dump currently hosted on the ‘Distributed Denial of Secrets’‘ website contains, among others:
- Phishing logs with multiple dcc.mil.kr (Defense Counterintelligence Command) email accounts.
- Other targeted domains: spo.go.kr, korea.kr, daum.net, kakao.com, naver.com.
- .7z archive containing the complete source code of South Korea’s Ministry of Foreign Affairs email platform (“Kebi”), including webmail, admin, and archive modules.
- References to South Korean citizen certificates and curated lists of university professors.
- PHP “Generator” toolkit for building phishing sites with detection evasion and redirection tricks.
- Live phishing kits.
- Unknown binary archives (voS9AyMZ.tar.gz, Black.x64.tar.gz) and executables (payload.bin, payload_test.bin, s.x64.bin) not flagged in VirusTotal.
- Cobalt Strike loaders, reverse shells, and Onnara proxy modules found in VMware drag-and-drop cache.
- Chrome history and configs linking to suspicious GitHub accounts (wwh1004.github.io, etc.), VPN purchases (PureVPN, ZoogVPN) via Google Pay, and frequent use of hacking forums (freebuf.com, xaker.ru).
- Google Translate use for Chinese error messages and visits to Taiwan government and military sites.
- Bash history with SSH connections to internal systems.
The hackers note that some of the above are already known or previously documented, at least partially.
However, the dump gives a new dimension to…
Click Here to Read the Full Original Article at BleepingComputer…