North Korean Kimsuky hackers exposed in alleged data breach

The North Korean state-sponsored hackers known as Kimsuky have reportedly suffered a data breach after two hackers, who describe themselves as the opposite of Kimsuky’s values, stole the group’s data and leaked it publicly online.

The two hackers, named ‘Saber’ and ‘cyb0rg,’ cited ethical reasons for their actions, saying Kimsuky is “hacking for all the wrong reasons,” claiming they’re driven by political agendas and follow regime orders instead of practicing independent hacking.

The 8.9GB dump currently hosted on the ‘Distributed Denial of Secrets’ website contains:

• Phishing logs with multiple dcc.mil.kr (Defense Counterintelligence Command) email accounts.
• Targeted domains: spo.go.kr, korea.kr, daum.net, kakao.com, naver.com.
• .7z archive containing the complete source code of South Korea’s Ministry of Foreign Affairs email platform, including webmail, admin, and archive modules.
• References to South Korean citizen certificates and curated lists of university professors.
• PHP “Generator” toolkit for building phishing sites with evasion and redirection tricks.
• Live phishing kits.
• Unknown binary archives and executables not flagged in VirusTotal.
• Cobalt Strike loaders, reverse shells, and Onnara proxy modules found in VMware drag-and-drop cache.
• Chrome history and configs linking to suspicious GitHub accounts, VPN purchases via Google Pay, and frequent use of hacking forums.
• Bash history with SSH connections to internal systems.

To read the complete article see: North Korean Kimsuky hackers exposed in alleged data breach