In a rare and bold cyber move, hackers known as Saber and cyb0rg claim to have compromised the computer of a North Korean government hacker and leaked its contents online, exposing the inner workings of the notorious espionage group Kimsuky.
The two detailed their breach in the latest issue of Phrack magazine, distributed at the Def Con conference in Las Vegas last week. They say they infiltrated a workstation containing a virtual machine and a virtual private server belonging to “Kim,” a suspected member of Kimsuky, also known as APT43 or Thallium.
Kimsuky, believed to operate under North Korea’s government, is known for cyber-espionage against journalists, government agencies, and other intelligence targets, as well as stealing cryptocurrency to fund the nation’s nuclear weapons program.
According to the hackers, the breach revealed evidence of cooperation between Kimsuky and Chinese state-aligned hackers, shared tools, stolen credentials, internal manuals, and compromised South Korean government and corporate networks.
Related: Bouygues Telecom Confirms Data Breach Affecting 6.4 Million Customers
While their actions are technically illegal, Saber and cyb0rg expressed no remorse, accusing Kimsuky of hacking for greed and political agendas. “You hack for all the wrong reasons,” they wrote.
Emails sent to the addresses allegedly linked to the breached hacker went unanswered. The two claim they identified “Kim” through forensic clues in files, configurations, and domain records, noting his consistent 9-to-5 Pyongyang working hours.
This hack provides one of the most direct glimpses yet into Kimsuky’s operations, an insight usually only available through indirect forensic investigations.
