Home > National > North Korea

Hackers breach computer seemingly used by North's Kimsuky group

Published: 13 Aug. 2025, 14:25

Two hackers claimed to have found evidence that North Korean hackers targeted South Korean government networks and companies by breaching a computer used by a member of Pyongyang's Kimsuky cyberespionage group in a report published on the e-zine Phrack. [GETTY IMAGES]

North Korean hackers targeted South Korean government networks and companies, according to evidence uncovered when two hackers breached a computer apparently used by a member of Pyongyang’s notorious Kimsuky cyberespionage group, technology news outlet TechCrunch reported Tuesday.

TechCrunch said hackers going by the names “Saber” and “cyb0rg” detailed their findings in the latest issue of the e-zine Phrack, claiming they gained access to a workstation owned by a hacker they called “Kim.”

The computer contained a virtual machine and virtual private servers, and Kim belonged to Kimsuky, a unit under North Korea’s Reconnaissance General Bureau, the state's primary intelligence agency responsible for clandestine operations, according to the TechCrunch report.

The outlet described the incident as “an almost-unprecedented look inside the operation of Kimsuky,” noting that while cybersecurity researchers and companies have typically analyzed data from breaches, these hackers directly infiltrated the device of an alleged group member.

Kimsuky is widely known as an advanced persistent threat group operating under the North Korean government. It targets government agencies and organizations of interest to Pyongyang, particularly in South Korea.

Like other hacking groups, it also conducts cybercrime, including stealing and laundering cryptocurrency to help fund the North’s nuclear weapons program.

The two hackers said the breach revealed “how openly ‘Kimsuky’ cooperates with Chinese [government hackers] and shares their tools and techniques.”

The hackers claimed in the Phrack report that they found evidence that Kimsuky had hacked into multiple South Korean government networks and companies but did not name specific entities.

They also said they obtained email addresses, hacking tools used by Kimsuky, internal manuals and passwords.

They linked Kim to Kimsuky based on clues such as file configurations and domains previously associated with the group.

The hackers added that Kim kept “strict office hours,” always logging in for a regular work day based on the time in Pyongyang, from 9 a.m. to 5 p.m.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom staff.
BY HYEON YE-SEUL [[email protected]]