STOLEN PENCIL

Threat Actor updated 4 months ago (2024-05-04T18:42:51.794Z)

Download STIX

Preview STIX

The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved sending targets deceptive messages containing links to domains controlled by the threat actor. Twitter user @MD0ugh was one of the first to report being a target of this campaign. Upon gaining a foothold on a user’s system, the threat actors used Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. They employed the GREASE malware during the operation, demonstrating their sophisticated toolset and capabilities. However, despite these advanced techniques, Netscout noted that the operators behind STOLEN PENCIL were sloppy in covering their tracks, with shared infrastructure and overlapping victims between different threads of activity. In addition to the aforementioned tactics, Kimsuky has been known to use Chromium-based browser extensions for cyber espionage purposes. Such techniques have been previously seen in campaigns tracked as Stolen Pencil and SharpTongue. Despite the unclear sequence of events and the overlap in victims, ASERT identified the STOLEN PENCIL campaign as a distinct Advanced Persistent Threat (APT) targeting academic institutions since at least May 2018.

Description last updated: 2024-05-04T16:30:41.509Z

What's your take? (Question 1 of 0)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kimsuky	2	Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the STOLEN PENCIL Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	Cyber-espionage group uses Chrome extension to infect victims
MITRE	2 years ago	North Korean Advanced Persistent Threat Focus: Kimsuky \| CISA
MITRE	2 years ago	STOLEN PENCIL Campaign Targets Academia \| NETSCOUT
CERT-EU	a year ago	German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting
CERT-EU	a year ago	Армия хакеров из Северной Кореи совершает масштабные кибератаки на госслужащих и политиков США и Южной Кореи