NICKEL KIMBALL
Objectives
Aliases
Tools
SUMMARY
NICKEL KIMBALL has operated on behalf of the North Korean government since at least 2012. It primarily targets non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities, particularly those involved with North Korean policy and relations. The group originally appeared to focus on South Korean organizations before expanding to similar organizations in other countries. The threat actors also seek to obtain access to online accounts and networks to track North Korean defectors and their relatives.
NICKEL KIMBALL is prolific. The threat actors conduct extensive spearphishing operations, using typosquatting or domains thematically aligned with their target. They also engage in increasingly complex social engineering activity, often creating customized messages based on research conducted using social media and other public sources of personal information.
NICKEL KIMBALL tooling is generally distinct from other North Korean groups and often involves malicious Hangul Word Processing (HWP) documents as a delivery mechanism when targeting entities in South Korea. As its targeting expanded internationally, it evolved its capabilities to include more widely used applications, including Microsoft Word and PDF documents. Malware families such as Kimsuky RAT, KimJongRAT, KONNI, and BabyShark have been linked to NICKEL KIMBALL activity.
Contact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.