STOLEN PENCIL

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved sending targets deceptive messages containing links to domains controlled by the threat actor. Twitter user @MD0ugh was one of the first to report being a target of this campaign. Upon gaining a foothold on a user’s system, the threat actors used Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. They employed the GREASE malware during the operation, demonstrating their sophisticated toolset and capabilities. However, despite these advanced techniques, Netscout noted that the operators behind STOLEN PENCIL were sloppy in covering their tracks, with shared infrastructure and overlapping victims between different threads of activity. In addition to the aforementioned tactics, Kimsuky has been known to use Chromium-based browser extensions for cyber espionage purposes. Such techniques have been previously seen in campaigns tracked as Stolen Pencil and SharpTongue. Despite the unclear sequence of events and the overlap in victims, ASERT identified the STOLEN PENCIL campaign as a distinct Advanced Persistent Threat (APT) targeting academic institutions since at least May 2018.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kimsuky
2
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Sharptongue
1
SharpTongue, a cybersecurity threat actor also known as Kimsuky, has been identified as the entity behind a series of sophisticated cyber espionage campaigns. These campaigns have been characterized by their unique approach of using Chromium-based browser extensions for malicious purposes. The group
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Espionage
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the STOLEN PENCIL Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cyber-espionage group uses Chrome extension to infect victims
MITRE
a year ago
North Korean Advanced Persistent Threat Focus: Kimsuky | CISA
MITRE
a year ago
STOLEN PENCIL Campaign Targets Academia | NETSCOUT
CERT-EU
a year ago
German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
a year ago
Армия хакеров из Северной Кореи совершает масштабные кибератаки на госслужащих и политиков США и Южной Кореи