{
	"id": "746b0f04-6102-4f86-af45-b2a4d33fa10a",
	"created_at": "2026-04-06T00:13:32.462499Z",
	"updated_at": "2026-04-10T03:37:40.608951Z",
	"deleted_at": null,
	"sha1_hash": "6a149beeef56782834f952a0cf306faa8e276419",
	"title": "North Korea has tried to hack 11 officials of the UN Security Council",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1041536,
	"plain_text": "North Korea has tried to hack 11 officials of the UN Security\r\nCouncil\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 30, 2020 at 12:50 p.m. PT\r\nArchived: 2026-04-05 13:58:50 UTC\r\nImage: Llyass Seddoug\r\nSpecial feature\r\nA hacker group previously associated with the North Korean regime has been spotted launching spear-phishing\r\nattacks to compromise officials part of the United Nations Security Council.\r\nThe attacks, disclosed in a UN report last month, have taken place this year and have targeted at least 28 UN\r\nofficials, including at least 11 individuals representing six countries of the UN Security Council.\r\nUN officials said they learned of the attacks after being alerted by an unnamed UN member state (country).\r\nThe attacks were attributed to a North Korean hacker group known in the cyber-security community by the\r\ncodename of Kimsuky.\r\nAccording to the UN report, Kimsuky operations took place across March and April this year and consisted of a\r\nseries of spear-phishing campaigns aimed at the Gmail accounts of UN officials.\r\nThe emails were designed to look like UN security alerts or requests for interviews from reporters, both designed\r\nto convince officials to access phishing pages or run malware files on their systems.\r\nThe country which reported the Kimsuky attacks to the UN Security Council also said that similar campaigns\r\nwere also carried out against members of its own government, with some of the attacks taking place via\r\nWhatsApp, and not just email.\r\nhttps://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/\r\nPage 1 of 3\n\nFurthermore, the same country informed the UN that Kimsuky attacks have extremely persistent with the North\r\nKorean hacker group pursuing \"certain individuals throughout the 'lifetime' of their [government] career.\"\r\nkimsuky-un.png\r\nSimilar Kimsuky attacks detailed in a previous UN report as well\r\nThe UN report, which tracks and details North Korea's response to international sanctions, also noted that this\r\ncampaign has been active for more than a year.\r\nIn a similar report published in March, the UN Security Council revealed two other Kimsuky campaigns against\r\nits sitting panel officials.\r\nThe first was a series of spear-phishing attacks against 38 email addresses associated with Security Council\r\nofficials — all of whom were members of the Security Council at the time of the attack.\r\nThe second were the operations detailed in a report from the National Cybersecurity Agency of France [PDF].\r\nDating back to August 2019, these were spear-phishing attacks against officials from China, France, Belgium,\r\nPeru, and South Africa, all of whom were members of the UN Security Council at the time of the attacks.\r\nKimsuky has a long history of going after the UN\r\nBut these attacks did not stop in April, as stated in the most recent UN report on North Korea, and the Kimsuky\r\ngroup has continued to target the UN, as part of its broader efforts to spy on UN decision-making in regards to\r\nNorth Korean affairs and possible plans on imposing new sanctions.\r\n\"We are definitely still observing targeting of the United Nations - something that has been going on for quite\r\nsome time and has been continuous in the past six months,\" Sveva Vittoria Scenarelli, a senior analyst in PwC's\r\nThreat Intelligence team, told ZDNet today.\r\n\"From our visibility, we are seeing Kimsuky particularly focused on the OHCHR (the UN's Office of the High\r\nCommissioner for Human Rights). For example, we're seeing domains pretending to be OHCHR intranets,\"\r\nScenarelli added.\r\nThe PwC analyst, who is an expert in Kimsuky operations, says most of the group's operations are spear-phishing\r\nattacks aimed at obtaining a victim's credentials for various online accounts. Other spear-phishing operations also\r\naim to get the victims infected with malware.\r\n\"Sometimes both types of operations are conducted against the same target,\" Scenarelli said.\r\nAsked about the information put forward by the unnamed country that some Kimsuky operations had targeted\r\nselect officials throughout the lifetime of their government careers, Scenarelli said this was typical of Kimsuky's\r\npast campaigns.\r\n\"We have most definitely observed Kimsuky targeting specific individuals — in fact, up to the present moment —\r\neven going as far as registering Internet domains containing the individual targets' names, the PwC analyst said.\r\nhttps://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/\r\nPage 2 of 3\n\n\"It's not as much of an isolated case — rather, we assess that specific individuals are targeted because of their role\r\nand the information they have access to. So in this sense, this kind of targeting is highly likely to be driven by\r\nspecific objectives, be these intelligence collection or something else,\" Scenarelli added.\r\n\"As to whether the targeting continues for the entirety of targets' career, this might depend on the individual target.\r\nThough we do not have direct visibility at this level of specificity, we'd assess it is likely that Kimsuky might\r\ncontinue to target that individual so long as they are presumed to have access to information of interest, and so\r\nlong as Kimsuky's strategic objectives require the threat actor to gain access to certain information.\r\n\"If all needed information is acquired, or if these strategic objectives change, then Kimsuky might focus its\r\ntargeting somewhere else, which is a \"pivot\" that we've seen the threat actor make before.\"\r\nScenarelli is set to hold a talk on Kimsuky operations today at the Virus Bulletin 2020 security conference. This\r\narticle is unrelated to her presentation.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/\r\nhttps://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/"
	],
	"report_names": [
		"north-korea-has-tried-to-hack-11-officials-of-the-un-security-council"
	],
	"threat_actors": [
		{
			"id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2",
			"created_at": "2022-10-25T15:50:23.280374Z",
			"updated_at": "2026-04-10T02:00:05.305572Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"Kimsuky",
				"Black Banshee",
				"Velvet Chollima",
				"Emerald Sleet",
				"THALLIUM",
				"APT43",
				"TA427",
				"Springtail"
			],
			"source_name": "MITRE:Kimsuky",
			"tools": [
				"Troll Stealer",
				"schtasks",
				"Amadey",
				"GoBear",
				"Brave Prince",
				"CSPY Downloader",
				"gh0st RAT",
				"AppleSeed",
				"Gomir",
				"NOKKI",
				"QuasarRAT",
				"Gold Dragon",
				"PsExec",
				"KGH_SPY",
				"Mimikatz",
				"BabyShark",
				"TRANSLATEXT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "760f2827-1718-4eed-8234-4027c1346145",
			"created_at": "2023-01-06T13:46:38.670947Z",
			"updated_at": "2026-04-10T02:00:03.062424Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"G0086",
				"Emerald Sleet",
				"THALLIUM",
				"Springtail",
				"Sparkling Pisces",
				"Thallium",
				"Operation Stolen Pencil",
				"APT43",
				"Velvet Chollima",
				"Black Banshee"
			],
			"source_name": "MISPGALAXY:Kimsuky",
			"tools": [
				"xrat",
				"QUASARRAT",
				"RDP Wrapper",
				"TightVNC",
				"BabyShark",
				"RevClient"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "71a1e16c-3ba6-4193-be62-be53527817bc",
			"created_at": "2022-10-25T16:07:23.753455Z",
			"updated_at": "2026-04-10T02:00:04.73769Z",
			"deleted_at": null,
			"main_name": "Kimsuky",
			"aliases": [
				"APT 43",
				"Black Banshee",
				"Emerald Sleet",
				"G0086",
				"G0094",
				"ITG16",
				"KTA082",
				"Kimsuky",
				"Larva-24005",
				"Larva-25004",
				"Operation Baby Coin",
				"Operation Covert Stalker",
				"Operation DEEP#DRIVE",
				"Operation DEEP#GOSU",
				"Operation Kabar Cobra",
				"Operation Mystery Baby",
				"Operation Red Salt",
				"Operation Smoke Screen",
				"Operation Stealth Power",
				"Operation Stolen Pencil",
				"SharpTongue",
				"Sparkling Pisces",
				"Springtail",
				"TA406",
				"TA427",
				"Thallium",
				"UAT-5394",
				"Velvet Chollima"
			],
			"source_name": "ETDA:Kimsuky",
			"tools": [
				"AngryRebel",
				"AppleSeed",
				"BITTERSWEET",
				"BabyShark",
				"BoBoStealer",
				"CSPY Downloader",
				"Farfli",
				"FlowerPower",
				"Gh0st RAT",
				"Ghost RAT",
				"Gold Dragon",
				"GoldDragon",
				"GoldStamp",
				"JamBog",
				"KGH Spyware Suite",
				"KGH_SPY",
				"KPortScan",
				"KimJongRAT",
				"Kimsuky",
				"LATEOP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Lovexxx",
				"MailPassView",
				"Mechanical",
				"Mimikatz",
				"MoonPeak",
				"Moudour",
				"MyDogs",
				"Mydoor",
				"Network Password Recovery",
				"PCRat",
				"ProcDump",
				"PsExec",
				"ReconShark",
				"Remote Desktop PassView",
				"SHARPEXT",
				"SWEETDROP",
				"SmallTiger",
				"SniffPass",
				"TODDLERSHARK",
				"TRANSLATEXT",
				"Troll Stealer",
				"TrollAgent",
				"VENOMBITE",
				"WebBrowserPassView",
				"xRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434412,
	"ts_updated_at": 1775792260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a149beeef56782834f952a0cf306faa8e276419.pdf",
		"text": "https://archive.orkl.eu/6a149beeef56782834f952a0cf306faa8e276419.txt",
		"img": "https://archive.orkl.eu/6a149beeef56782834f952a0cf306faa8e276419.jpg"
	}
}