The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved sending targets deceptive messages containing links to domains controlled by the threat actor. Twitter user @MD0ugh was one of the first to report being a target of this campaign.
Upon gaining a foothold on a user’s system, the threat actors used Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. They employed the GREASE malware during the operation, demonstrating their sophisticated toolset and capabilities. However, despite these advanced techniques, Netscout noted that the operators behind STOLEN PENCIL were sloppy in covering their tracks, with shared infrastructure and overlapping victims between different threads of activity.
In addition to the aforementioned tactics, Kimsuky has been known to use Chromium-based browser extensions for cyber espionage purposes. Such techniques have been previously seen in campaigns tracked as Stolen Pencil and SharpTongue. Despite the unclear sequence of events and the overlap in victims, ASERT identified the STOLEN PENCIL campaign as a distinct Advanced Persistent Threat (APT) targeting academic institutions since at least May 2018.
Description last updated: 2024-05-04T16:30:41.509Z