The Whisperer: Kimsuky

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 10

North Korea (RGB)

G0094

★★★★★

risk 3/5

✦ The Whisperer ✦

Kimsuky

Thallium · Black Banshee · Velvet Chollima · APT-C-55

Think tanksAcademic researchersJournalistsSouth Korean governmentNuclear experts

Active since ~2012 · Intelligence collection, Policy research, Sanctions monitoring

It reads your emails about nuclear policy before you send the reply. It listens to your research conversations and reports to Pyongyang on what the outside world thinks of North Korea's next move. It is an ear pressed against the wall of every room that matters.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1056.001

Keylogging

Collection

T1102

Web Service

Command and Control

T1114.002

Remote Email Collection

Collection

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆Operation Smoke Screen (South Korean targets)
◆COVID-19 vaccine researcher targeting
◆Nuclear policy think tank access
◆Operation Stolen Pencil (academic credential theft)

Defenses

▸
Phishing awareness training with political and research themes
NIST CSF: PR.AT ↗
▸
Google Workspace / M365 advanced threat protection
CIS Control 9 ↗
▸
Browser isolation for high-risk researcher workflows
CIS Control 9 ↗
▸
Endpoint keylogger detection and process monitoring
CIS Control 10 ↗

Reversed: Their Weakness

Kimsuky's targeting is sometimes so narrow that victims can identify the operation simply by recognizing they received an email. Its precision is a double-edged sword - targeted actors are more likely to report it.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Alchemist Next →The Flame Keeper

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.