How the “Kim” dump exposed North Korea's credential theft playbook
144 comments
·September 6, 2025lawgimenez
_def
> I am a Hacker and I am the opposite to all that you are. In my realm, we are all alike. We exist without skin color, without nationality, and without political agenda. We are slaves to nobody.
Classic elitist take ignoring that this this space where "all are alike" can only work for certain kinds of people.
helqn
On the Internet, nobody knows you’re a dog. Unless you make it your whole personality telling everybody that you are a dog. Maybe stop doing that.
dobin
No tolerance for the intolerant.
drtgh
Your quote it is out of context, they are talking to North Korea's -sociopathic- government accomplice:
<< Kimsuky, you are not a hacker. You are driven by financial greed, to enrich
your leaders, and to fulfill their political agenda. You steal from others
and favour your own. You value yourself above the others: You are morally
perverted. >>
rikafurude21
I would go as far as to say slaves of a dictatorship. Most likely threathened with death, including the hackers' entire family, if they dont follow the line. Considering these factors, how much do you think they actually "support crimes against humanity"? North Koreans filter their students very early on to find the smart ones and teach them hacking in specialized military camps. Whoever this hacker is, he probably has been handpicked and groomed for the job hes doing.
aaron695
[dead]
sublinear
To quote the movie Hackers:
"Cool? It's not cool. It's commie bullshit!"
sim7c00
Brian: We are all different! Guy: I'm not!
its always just some cheesy hacker words put to seem mysterious or whatever -_-.
we are legion, we are one etc. anything like that fall apart quickly if you attach identity to something doesnt it.
i guess by being anonymous online some forget they are not anonymous irl. a lot of being alone with the terminal ^^>
gotta read between all the fluff tho.
codedokode
Why everyone working with the government doesn't use hardware keys without passwords so that fishing is useless?
ac29
I know some people in the US government who definitely need a hardware key to access computing resources including email. They work for the Dept of the Interior on science stuff, nothing related to national security or otherwise sensitive info.
They mentioned this was a pain in the ass, and a very weird restriction since technically any member of the public can ask for a copy of their emails via FOIA.
bornfreddy
Because hardware keys are so 2000 - we have apps now. With Play Protect Premium Enterprise to make sure the phone is secure. /s
jamedjo
> Attribution Scenarios: Option A: DPRK Operator Embedded in PRC
> Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.
I'm don't follow how needing OCR to read Korean documents points to them being North Korean?
Could also point in the opposite direction of them needing to copy the text for translation.
Thorrez
Their shell history shows them using OCR tools. AFAIK it doesn't show them using translation tools.
jamedjo
Fair, and appears I missed the first part "Use of Korean language".
The OCR still tells us more about the target than the actor, but I guess they are suggesting the choice of target itself is the indicator.
RT-Saber
[dead]
RT-Saber
[dead]
sgnelson
This is interesting due to the tying of DPRK and PRC. It seems hard to say how much coordination there is between the two, but whatever it is, it appears to be greater than zero. While not necessarily surprising, I wonder if this public attribution will make it harder for the PRC to deny involvement with both the DPRK's efforts and their own.
wrp
Regardless of how unhappy Beijing may be with things Pyongyang does, North Korea is of such obvious strategic importance to China that they are unlikely to ever waver in their support of the regime or even try to hide it.
energy123
China kept backing Khmer Rouge despite the millions dead and even invaded Vietnam to protect them. Amoral, self interested actor at best. There's nothing North Korea could do to their own people to change the support.
hetman
In fairness, the US kept indirectly funding the Khmer Rouge even after evidence of their atrocities came to light for their own strategic geopolitical reasons.
The realpolitic of international relations very often follows the words of the British prime minister, Lord Palmerston: "We have no eternal allies, and we have no perpetual enemies. Our interests are eternal and perpetual, and those interests it is our duty to follow."
chasd00
Anything happens to North Korea and all those starving people flood into China. I think that’s why China supports North Korea.
mytailorisrich
China did not, and still doesn't, want US troops at its border. That's why it originally intervened and why it supports North Korea. At the time there was also a further risk that the US might invade China.
bfg_9k
I mean, same could be said about South Korea. It would instantly drag their GDP per capita down by more than half, and that's not even counting how much money would need to be spent to re-develop NK.
moomoo11
How did they manage to brain control millions of people like that? I mean it’s so ludicrous to an outsider.
the_af
What's surprising about this? It's not dissimilar to how the US behaves towards their less than savory strategic allies (or, historically, towards dictatorships as long as they were US-aligned).
wrp
Not saying it should be surprising. Just trying to answer the question.
thisislife2
Exactly. It's the equivalent of something like western Five / Nine / Fourteen Eyes, that also share intelligence within the alliance.
ummonk
I don’t see any smoking gun here that would prevent the PRC from denying its involvement in these hacking efforts.
jmyeet
I don't think Chinese support for NK has ever been a secret anymore than the the US support for South Korea has. And it's in China's backyardd so they've got way more of an excuse.
And if you think that doesn't matter, look at the Monroe Doctrine [1].
Taken further, the so-called Cuban Missile Crisis should really be called the Turkey Missile Crisis. The US (through NATO) placed Jupiter nuclear MRBMs in Turkey, only hunddreds of miles from Moscow. The USSR responded by doing the exact same thing, by placing nuclear weapons in Cuba. And the US almost started World War 3 over it.
It was the USSR who stepped back from the brink and, as a result of a secret agreement, the Jupiter MRBMs were quietly removed from Turkey [2].
[1]: https://en.wikipedia.org/wiki/Monroe_Doctrine
[2]: https://www.wilsoncenter.org/blog-post/jupiter-missiles-and-...
veqq
> The USSR responded by doing the exact same thing
This paints it as tit for tat, but to advert invasion the Cubans asked for the missiles over a year later than the missiles were placed in Turkey. The resolution combined these separate issues.
churchill
Why is this comment downvoted? You have the right to see China, USSR and NK as immoral regimes but there's nothing non-factual here.
charonn0
The topic is cybercrime and espionage, not nuclear brinksmanship or colonialism. Whatever parallels can be drawn don't seem to be very relevant, so the comment comes off as an attempt to deflect criticism.
corimaith
The causality between missiles in Turkey causing the Cuban Missile Crisis is unsubstantiated by historical facts from the Soviets own perspectives.
It's more that Cuba requested nukes first, the USSR opportunistically took, then they to resolve the crisis they took that opportunity to remove Turkish missiles. It wasn't really a tit for tat on part of the USSR's intentions, Cuba was the primary agent here.
Not that it really mattered later on once ICBMs are developed.
mopsi
[flagged]
null
tonyhart7
in intelligence and cybersecurity community this are well known fact
after all chinese is the first one that has official military cyber unit (first in the world)
north korean following suit for monetary reason and have as far as Property (Hotel etc) on china mainland to run the operation from there
as for china??? they basically have an "laundry" business that can take dollar from korea in trade of supplies
hexpeek
I’ve heard that in North Korea it is difficult for ordinary people to learn or own a computer. It is assumed that a small number of elite operatives are selected and trained to carry out such tasks, and it is somewhat surprising that they possess the latest technology and conduct hacking.
asdff
If anything the hackers in north korea are probably world class if the government is getting their students into focused training programs early in their schooling. Western nations have nothing equivalent due to schooling being generalist and undergrad and grad school not really introducing you to the sort of work you'd actually do on the job as a hacker. 22 year old western hacker for a 3 letter agency is going to have maybe a 6 month softball tangentially related internship of experience under their belt while the north korean might have years and years by that point.
awesome_dude
> 22 year old western hacker for a 3 letter agency is going to have maybe a 6 month softball tangentially related internship of experience under their belt while the north korean might have years and years by that point.
I was with you right up until this bit
The agencies concerned tend to recruit people that have demonstrated ability in that field, and they've usually got it with "self-directed" training :)
Joel_Mckay
State sponsored thieves are not a talent pool that anyone wants in a trusted position.
The fact is there were only around 40 unique hacks ever invented, and people simply adapt these into new zero day exploits. Notably, this is now mostly a fully automated process.
If people want in, they will get in eventually. =3
x C62=:K6 J@F 2C6 AC66>AE:G6=J 5:D28C66:?8 H:E9 E96 DFCAC:D:?8=J =@H 6DE:>2E6 @7 6IA=@:E E2I@?@>J[ 3FE 9F>2? DE2E:DE:42= 3692G:@C :D 2=D@ ?@E 2D 4@>A=6I 2D >2?J 36=:6G6]
stingraycharles
I always understood that these hacks are one of the main ways for North Korea to actually earn money in other currencies, as they’ve been barred from trading with pretty much the entire world.
ummonk
North Korean teams tend to perform very well in coding contests, so it’s a safe bet that North Korea is quite good at nurturing a small slice of elite computing talent.
SoftTalker
They just identify talented individuals and send them to schools in China or elsewhere to learn the latest tech.
richardfeynman
source? interesting if true.
Ray20
> somewhat surprising that they possess the latest technology and conduct hacking.
Why does this surprise you? As you said, selecting capable people is not a problem. And then these capable people get the best possible motivation. I would say it is expected to get qualified hackers in such conditions, who are proficient in all latest technologies.
tremon
> The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs.
What's the rationale for allowing the development of offensive tooling on github? Is this a free-speech thing, or are these repositories relevant for scientific research in some way?
StrauXX
They are heavily used in penetrationtests and red teaming engagements. Banning such tools from the public just mystifies attackers ways to defenders, while not in any way hindering serious malicious actors. We had that discussion back in the 90s and early 2000s.
freedomben
Agreed. Plus it's not always a clear line between offensive and legitimate usage. For many years nmap was banned on most corporate networks, but it's an invaluable tool for legitimate use too, despite being useful for offensive cases as well
wkat4242
It's mainly beside nmap detection is a feature of most IDS so it's bound to raise some red flags.
Same with even doing packet sniffing. It can be detected when using wireshark because it does reverse DNS lookups for each ip it sees in its default configuration.
I had legit reasons for it at work so I always mentioned it to the network guys before ding stuff like this. We also had a firewalled lab network. We did get some pushback once when some scans leaked out to the office network. But it was their fault for having the firewall open.
randall
one time i ran nmap against my dev box at facebook. i was definitely worried someone was going to give me a stern talking to.
hsbauauvhabzb
While that may be true, it’s less true for things like cobalt strike. I’m not saying that banning tooling would be a good thing, but it’s a bad argument to compare Nmap to remote access tools.
laveur
I think they get heavily used by security researchers, and other people that do regular Penetration Testing.
awesome_dude
Isn't Github supposed to be blocking sanctioned countries, like Iran, and North Korea?
https://docs.github.com/en/site-policy/other-site-policies/g...
throwaway2037
About Iran & GitHub:
https://docs.github.com/en/site-policy/other-site-policies/g...
> GitHub now has a license from OFAC to provide cloud services to developers located or otherwise resident in Iran. This includes all public and private services for individuals and organizations, both free and paid.
> GitHub cloud services, both free and paid, are also generally available to developers located in Cuba.overfeed
Do you have any reason to suspect GitHub isn't blocking those countries? How long do you think an offensive-security sponsor/passport-issuing nation might take to get around GitHub IP-blocks?
dmoy
Right exactly. The only way IP blocks work is if there's no vulnerable machines to take over anywhere. That is - it basically doesn't work for any motivated attacker.
You could hypothetically make it work, but it would mean an extremely different Internet and device landscape than exists today. (And even then I doubt it stops a nation-state level attacker, they can always use old fashioned espionage to get someone in meat space and get around any technical barrier)
traverseda
What alternative do you suggest?
immibis
[flagged]
rpdillon
Wait, installing nmap on your laptop from a Linux distribution's repositories is a crime in Germany?
kace91
>Not sure about US law, but in Germany, creating or possessing a hacking tool (including things like nmap) is a criminal offence.
Surely that must be wrong, are security certs not a thing in Germany?
kulahan
In the US you’re allowed to have pretty much whatever code you want on your computer, obviously excepting binary representations of illegal photo/video content.
How do they even enforce it? Or is it just an extra law to throw at someone already convicted of something?
esseph
That is fucking insane.
Basically Linux itself would be classified as a "hacking tool".
sieabahlpark
[dead]
Pocomon
> The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations.
It's puzzling why the NORC hackers didn't use a nearest neighbor hack rather than leaving a trail of bread crumbs all the way back to Pyongyang ;)
wkat4242
Sometimes sending a message is part of the point. And you still have plausible deniability anyway "it was a false flag booo".
The Russians do this a lot. This kind of attack that they want everyone to know they are being without telling you they are behind it and denying it in all colours.
aussieguy1234
That's a fairly detailed analysis of an APT workflow.
Now, non-APT actors, if they wanted to up their level of sophistication, might replicate some of these workflows for their own nefarious activities.
awesome_dude
There's always a risk of openness creating copycats, but there's also the fact that informed decisions can now be made by people who need to mitigate against these malicious actors.
There's no way to only give the information to one group without the other group getting their hands on it.
fragmede
There's levels between not sharing it with anybody, and dumping it up on the public web for everyone to see. There are private disclosure lists they could have used, if they wanted to.
sim7c00
interesting stuff but the china angle is a bit overstated with option A/B.
it could simply be the guy maintains presence there because he has access. NK has no public internet so he might simply enjoy internet access -_- rather than neccesarily be either pretending to be chinese or working for them...
null
jmyeet
So this is interesting from a technical perspective. Some of this infrastructure is used by pen testers and the likes, which just goes to show that there is no such thing as a defensive weapon. I'll let you ponder why that might be pertinent.
Unfortunately, it quickly turns into a discussion of how bad NK and China are and how China shouldn't support NK (because, again, they're bad).
I'll offer two words to expose the hypocrisy of this: Stuxnet, Pegasus.
curtisszmania
[dead]
I believe these are the hackers responsible for this leak: https://phrack.org/issues/72/7_md#article