An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | June 1, 2023

U.S., ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence

FORT MEADE, Md. - The National Security Agency (NSA) is partnering with several organizations to highlight the Democratic People’s Republic of Korea’s (DPRK) use of social engineering and malware to target think tanks, academia, and news media sectors.

To help protect against these DPRK attacks, NSA and partners are publicly releasing the Cybersecurity Advisory (CSA), “North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media.”

“DPRK state-sponsored cyber actors continue to impersonate trusted sources to collect sensitive information,” said Rob Joyce, NSA director of Cybersecurity. “Education and awareness are the first line of defense against these social engineering attacks.”

The agencies — the Federal Bureau of Investigation (FBI), U.S. Department of State, and the Republic of Korea’s (ROK) National Intelligence Service, National Policy Agency, and Ministry of Foreign Affairs — have observed sustained information gathering efforts originating from a specific set of DPRK cyber actors known collectively as Kimsuky, THALLIUM, or VELVETCHOLLIMA.

The advisory details how North Korea relies heavily on intelligence gained from these spearphishing campaigns. Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against sensitive, high-value targets.

“These cyber actors are strategically impersonating legitimate sources to collect intelligence on geopolitical events, foreign policy strategies, and security developments of interest to the DPRK on the Korean Peninsula,” said Joyce.



Kimsuky is administratively subordinate to an element within North Korea’s Reconnaissance General Bureau (RGB). The RGB is primarily responsible for this network of cyber actors and activities. Data stolen by Kimsuky is shared with other DPRK cyber actors in support of the RGB’s objectives.

NSA and its partners encourage individuals and U.S. entities to implement the mitigations listed in the CSA to protect against DPRK actors’ cyber operations, and to report spearphishing examples to www.ic3.gov with a reference to “#KimsukyCSA” in the incident description.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721