The German Bundesamt für Verfassungsschutz (BfV) and the National Intelligence Service of the Republic of Korea (NIS) issue the following Joint Cyber Security Advisory to raise awareness of KIMSUKY’s (a.k.a. Thallium, Velvet Chollima, etc.) cyber campaigns against Google's browser and app store services targeting experts on the Korean Peninsula and North Korea issues.

This Cyber Security Advisory includes the strategy, modus operandi, Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) used in KIMSUKY’s campaigns that exploit Chromium-based web browser extensions and the Android app developer function.

The BfV and NIS assess that the aforementioned actor has already targeted Korean and German entities using spear phishing emails over the last couple of years. However, considering the universally available attack method and targets of the recently observed campaign, both services believe the actor could go further by targeting global think tanks of diplomacy and security.