Citation: Youn, J.; Kim, K.; Kang, D.; Lee, J.; Park, M.; Shin, D. Research on Cyber ISR Visualization Method Based on BGP Archive Data through Hacking Case Analysis of North Korean Cyber-Attack Groups. Electronics 2022 ,11, 4142. https:// doi.org/10.3390/electronics11244142 Academic Editors: Aryya Gangopadhyay and Rameez Asif Received: 19 September 2022 Accepted: 9 December 2022 Published: 12 December 2022 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affil- iations. Copyright: © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/). electronics Article Research on Cyber ISR Visualization Method Based on BGP Archive Data through Hacking Case Analysis of North Korean Cyber-Attack Groups Jaepil Youn1,2 , Kookjin Kim1,3 , Daeyoung Kang4, Jaeil Lee5, Moosung Park1,6 and Dongkyoo Shin1,3,* 1Department of Computer Engineering, Sejong University, Seoul 05006, Republic of Korea 2Cyber Operations Center, Republic of Korea Army (ROKA), Gyeryong 32800, Republic of Korea 3Department of Convergence Engineering for Intelligent Drones, Sejong University, Seoul 05006, Republic of Korea 4Department of Military Digital Convergence, Ajou University, Suwon 16499, Republic of Korea 5Korea Internet & Security Agency (KISA), Naju 58324, Republic of Korea 6The 2nd R&D Institute 3rd Directorate, Agency for Defense Development (ADD), Seoul 05661, Republic of Korea *Correspondence: [email protected] Abstract: North Korean cyber-attack groups such as Kimsuky, Lazarus, Andariel, and Venus 121 con- tinue to attempt spear-phishing APT attacks that exploit social issues, including COVID-19. Thus, along with the worldwide pandemic of COVID-19, related threats also persist in cyberspace. In January 2022, a hacking attack, presumed to be Kimsuky, a North Korean cyber-attack group, in- tending to steal research data related to COVID-19. The problem is that the activities of cyber-attack groups are continuously increasing, and it is difficult to accurately identify cyber-attack groups and attack origins only with limited analysis information. To solve this problem, it is necessary to expand the scope of data analysis by using BGP archive data. It is necessary to combine infrastructure and network information to draw correlations and to be able to classify infrastructure by attack group very accurately. Network-based infrastructure analysis is required in the fragmentary host area, such as malware or system logs. This paper studied cyber ISR and BGP and a case study of cyber ISR visualization for situational awareness, hacking trends of North Korean cyber-attack groups, and cyber-attack tracking. Through related research, we estimated the origin of the attack by analyzing hacking cases through cyber intelligence-based profiling techniques and correlation analysis using BGP archive data. Based on the analysis results, we propose an implementation of the cyber ISR visualization method based on BGP archive data. Future research will include a connection with research on a cyber command-and-control system, a study on the cyber battlefield area, cyber ISR, and a traceback visualization model for the origin of the attack. The final R&D goal is to develop an AI-based cyber-attack group automatic identification and attack-origin tracking platform by analyzing cyber-attack behavior and infrastructure lifecycle. Keywords: cyber ISR; Kimsuky; MITRE ATT&CK; BGP archive data analysis; visualization 1. Introduction As COVID-19 became a global issue, hackers quickly changed their attack meth- ods. Numerous hackers, including advanced persistent threat (APT) attack groups, are actively exploiting the COVID-19 issue. Attacks that exploit COVID-19 are mainly social- engineering techniques and phishing attacks, and are classified into four ty