Recent cyber activities linked to North Korean threat actors, particularly the Kimsuky group, demonstrate a notable evolution in their techniques. They are increasingly leveraging living-off-the-land (LotL) strategies, relying on common services to remain undetected. A recent operation, identified as “DEEP#DRIVE” by Securonix, exemplifies this trend, utilizing PowerShell scripts and Dropbox for data storage while enhancing their operational security protocols.
During the DEEP#DRIVE campaign, Kimsuky employed a variety of deceptive tactics, including fake work logs and insurance documents, to manipulate users into downloading a malicious zipped shortcut file. This file was engineered to collect system configuration data and execute PowerShell and .NET scripts. Once a system was compromised, the attack tools facilitated the transfer of sensitive information to Dropbox, where the group could then retrieve additional commands for further exploitation.
While Kimsuky has shown interest in immediate financial gains — such as targeting cryptocurrency users — the overarching focus remains on collecting sensitive information from South Korean entities, particularly government agencies and businesses. Tim Peck, a senior threat researcher at Securonix, emphasized that the group’s exploitation efforts reflect a predominant espionage motivation, consistent with their historical patterns of targeting South Korean infrastructure.
North Korean cyber operations have historically targeted South Korea and the United States, with South Korean organizations being particularly vulnerable. In September 2024, the FBI issued warnings about anticipated attacks on organizations holding substantial cryptocurrency reserves, coinciding with Kimsuky’s multistage attacks against South Korean targets in the previous year.
Kimsuky consists of multiple sub-groups, each specializing in distinct sectors, including healthcare and cryptocurrency. According to Recorded Future, these groups have been responsible for the majority of identified attacks attributed to North Korean origin from 2021 to 2023, continuing into 2024. Their activities often center around high-volume phishing campaigns aimed primarily at South Korean individuals and organizations, rather than detailed spear-phishing attempts.
In the context of the DEEP#DRIVE campaign, researchers identified a significant number of system configuration files uploaded to Dropbox, revealing that the attack was proficiently executed and possibly affected thousands of devices. The data extracted during these breaches includes critical information such as host IP addresses, operating system details, and security software installed, indicating a systematic approach to data collection.
The operational security enhancements utilized by Kimsuky are particularly noteworthy. The group implemented OAuth-based authentication for their Dropbox storage, making it more challenging for conventional defenses to mitigate the threat. Furthermore, they exhibited a swift response in dismantling parts of their infrastructure upon detection by cybersecurity researchers, showcasing an elevated level of awareness often lacking in typical phishing campaigns.
For organizations, these developments underscore the imperative to actively disable hidden file extensions, restrict shortcut file executions in user directories, and permit only signed PowerShell scripts. Such measures can significantly increase the likelihood of detecting malicious activities before they escalate.
In addition to technical defenses, companies, particularly those in cryptocurrency and governmental sectors, are advised to strengthen their email security protocols and conduct regular training sessions on recognizing phishing attempts. As the majority of North Korean cyber incursions initiate through social engineering tactics, maintaining vigilance and preparedness is crucial to mitigating risks associated with these sophisticated attacks.
