Hackers claim to have compromised the computer of a North Korean government hacker and leaked its contents online, offering a rare glimpse into a hacking operation by the notoriously secretive nation. The two hackers, who go by Saber and cyb0rg, published a report about the breach in the latest issue of Phrack magazine, a legendary cybersecurity e-zine first published in 1985. The latest issue was distributed at the Def Con hackers conference in Las Vegas last week.
In the article, the hackers wrote that they compromised a workstation containing a virtual machine and a virtual private server belonging to the hacker, whom they call “Kim.” They claim Kim works for the North Korean government espionage group known as Kimsuky, also referred to as APT43 and Thallium. The stolen data was leaked to DDoSecrets, a nonprofit collective that stores leaked datasets in the public interest.
Kimsuky is a prolific advanced persistent threat group widely believed to operate inside North Korea’s government. The group targets journalists, government agencies in South Korea and elsewhere, and other entities of interest to North Korea’s intelligence apparatus. Like other North Korean hacking groups, Kimsuky also engages in cybercriminal activities, such as stealing and laundering cryptocurrencies to fund the country’s nuclear weapons program.
This breach provides an almost-unprecedented look inside Kimsuky’s operations, as the hackers directly compromised one of the group’s members rather than relying on indirect investigations typical of cybersecurity research. The hackers noted that the breach reveals how openly Kimsuky collaborates with Chinese government hackers, sharing tools and techniques.
While Saber and cyb0rg’s actions technically constitute a crime, they are unlikely to face prosecution given North Korea’s heavily sanctioned status. The hackers made it clear they believe Kimsuky members deserve exposure and condemnation.
In their report, they criticized Kimsuky, stating, “Kimsuky, you’re not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda. You steal from others and favor your own. You value yourself above the others: You are morally perverted. You hack for all the wrong reasons.”
The hackers claim to have uncovered evidence of Kimsuky compromising several South Korean government networks and companies, along with email addresses, hacking tools, internal manuals, passwords, and other sensitive data. Emails sent to addresses allegedly belonging to the hackers went unanswered.
Saber and cyb0rg identified Kim as a North Korean government hacker based on “artifacts and hints,” including file configurations and domains previously linked to Kimsuky. They also noted Kim’s strict office hours, with connections consistently starting around 09:00 and ending by 17:00 Pyongyang time.