STOLEN PENCIL

Threat Actor updated 5 days ago (2024-11-29T14:26:12.152Z)
Download STIX
Preview STIX
The STOLEN PENCIL operation, first reported in May 2018, was a cyber espionage campaign potentially originating from the Democratic People's Republic of Korea (DPRK). The threat actor, known as Kimsuky, targeted academic institutions using spear-phishing tactics for initial intrusion. This involved sending targets deceptive messages containing links to domains controlled by the threat actor. Twitter user @MD0ugh was one of the first to report being a target of this campaign. Upon gaining a foothold on a user’s system, the threat actors used Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. They employed the GREASE malware during the operation, demonstrating their sophisticated toolset and capabilities. However, despite these advanced techniques, Netscout noted that the operators behind STOLEN PENCIL were sloppy in covering their tracks, with shared infrastructure and overlapping victims between different threads of activity. In addition to the aforementioned tactics, Kimsuky has been known to use Chromium-based browser extensions for cyber espionage purposes. Such techniques have been previously seen in campaigns tracked as Stolen Pencil and SharpTongue. Despite the unclear sequence of events and the overlap in victims, ASERT identified the STOLEN PENCIL campaign as a distinct Advanced Persistent Threat (APT) targeting academic institutions since at least May 2018.
Description last updated: 2024-05-04T16:30:41.509Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Kimsuky is a possible alias for STOLEN PENCIL. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.