In a rare and significant blow to North Korean state-sponsored espionage, two hackers known as Saber and cyb0rg have successfully breached the workstation of a high-level operative. The incident, disclosed last week at the Def Con conference in Las Vegas, provides an unprecedented view into the inner workings of the notorious Kimsuky group, also identified as APT43 or Thallium.
The attackers detailed their infiltration in the latest issue of Phrack, a historic cybersecurity e-zine. By compromising a workstation that housed both a virtual machine and a virtual private server, the duo managed to exfiltrate sensitive data, which has since been provided to DDoSecrets, a non-profit dedicated to publishing leaked datasets in the public interest.
Inside the Kimsuky Infrastructure
Kimsuky is widely recognized as a prolific Advanced Persistent Threat (APT) group operating under the direction of the North Korean government. The group routinely targets journalists, government agencies, and critical infrastructure, primarily in South Korea. Beyond traditional espionage, the group engages in cybercriminal activities, including stealing and laundering cryptocurrencies to bypass international sanctions and fund North Korea’s nuclear weapons program.
The breach offers a unique perspective rarely afforded to security researchers. Rather than analyzing the aftermath of a data leak, investigators now have direct access to the tools, manuals, and operational habits of an active state-sponsored hacker. Saber and cyb0rg highlighted that the data reveals a startling level of cooperation between North Korean operatives and Chinese government-linked hackers, particularly regarding the shared use of specialized tools and techniques.
Operational Habits and Internal Evidence
The hackers, who published their full findings in the latest Phrack report, identified the operative—referred to as “Kim”—through several digital artifacts. Key evidence included configuration files and domain patterns previously linked to Kimsuky infrastructure.
Perhaps most revealing were the behavioral patterns noted by the infiltrators. They observed that the operative maintained “strict office hours,” consistently connecting to the network at 09:00 and disconnecting by 17:00 Pyongyang time, suggesting a structured, bureaucratic approach to state-sanctioned cyber warfare.
A Moral Condemnation of State Espionage
In their report, the hackers did not hide their disdain for the group’s activities. They labeled Kimsuky members as “morally perverted,” accusing them of being driven by financial greed and political agendas rather than legitimate technical pursuit.
While the actions taken by Saber and cyb0rg constitute a technical crime, the likelihood of prosecution remains near zero, given North Korea’s isolated status and existing international sanctions. The leaked data, which includes internal manuals, password logs, and evidence of compromised South Korean networks, is now under review by the global cybersecurity community, marking a major setback for one of the world’s most active espionage units.