{ "id": "445a4a90-8523-4d65-92e3-ea338161df99", "created_at": "2026-04-06T00:12:51.261234Z", "updated_at": "2026-04-10T03:37:41.047939Z", "deleted_at": null, "sha1_hash": "3b640a390773e270839e173409de4a612207eaef", "title": "North Korea Hackers Linked to Breach of German Missile Manufacturer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89961, "plain_text": "North Korea Hackers Linked to Breach of German Missile\r\nManufacturer\r\nBy Ryan Naraine\r\nPublished: 2024-09-30 · Archived: 2026-04-02 11:58:53 UTC\r\nA professional hacking team linked to the North Korean government has broken into Diehl Defence, a\r\nGerman company that manufactures Iris-T air defense systems, using a clever phishing campaign with fake\r\njob offers and advanced social engineering tactics, according to a report by Der Spiegel.\r\nThe attack, pinned on the Kimsuky APT, combined the use of booby-trapped PDF files with spear-phishing lures\r\noffering Diehl Defence employees jobs with American defense contractors. \r\nThe targeting of Diehl Defence is significant because the company specializes in the production of missiles and\r\nammunition.  Last October, Diehl Defence inked a deal to supply South Korea with its Iris-T short-range air-to-air\r\nmissiles.\r\nAccording to the Der Spiegel report, researchers at Mandiant investigated the compromise and found the attackers\r\nperformed detailed reconnaissance on Diehl Defense ahead of the spear-phishing attacks.\r\nDer Spiegel reported that the Kimsuky hackers hid their attack server behind an address containing “Uberlingen,”\r\na reference to Diehl Defence’s location in Überlingen in Southern Germany.\r\nThe attack server also hosted authentic-looking, German-language login pages that resembled those of\r\ntelecommunications provider Telekom and email service GMX, suggesting the attackers were bulk-harvesting\r\nlogin credentials of German users.\r\nAdvertisement. Scroll to continue reading.\r\nMandiant could not be reached for comment on the report.\r\nhttps://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/\r\nPage 1 of 2\n\nKimsuky, also known as APT43, Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, focuses on\r\nintelligence gathering, including in support of Pyongyang’s nuclear and strategic efforts. \r\nThe threat group has been known to target governments, think tanks, research centers, universities, and news\r\norganizations in the United States, Europe and Asia.\r\nThe US government has slapped sanctions on individuals associated with Kimsuky and issued multi-agency\r\nadvisories with technical details on the group’s hacking activities.\r\nRelated: US Sanctions North Korean Cyberespionage Group Kimsuky\r\nRelated: North Korea Kimsuky Targets Government Agencies With New Malware\r\nRelated: U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’\r\nRelated: Microsoft Catches APTs Using ChatGPT for Malware Scripting\r\nRelated: Inside the APT Behind North Korea’s Digital Military Machine\r\nSource: https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/\r\nhttps://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/" ], "report_names": [ "north-korea-hackers-linked-to-breach-of-german-missile-manufacturer" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b640a390773e270839e173409de4a612207eaef.pdf", "text": "https://archive.orkl.eu/3b640a390773e270839e173409de4a612207eaef.txt", "img": "https://archive.orkl.eu/3b640a390773e270839e173409de4a612207eaef.jpg" } }