North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks
U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors’ use of social engineering tactics to strike think tanks, academia, and news media sectors.
The “sustained information gathering efforts” have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima.
“North Korea relies heavily on intelligence gained from these spear-phishing campaigns,” the agencies said. “Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets.”
Kimsuky refers to an ancillary element within North Korea’s Reconnaissance General Bureau (RGB) and is known to collect tactical intelligence on geopolitical events and negotiations affecting the regime’s interests. It’s known to be active since at least 2012.
“These cyber actors are strategically impersonating legitimate sources to collect intelligence on geopolitical events, foreign policy strategies, and security developments of interest to the DPRK on the Korean Peninsula,” Rob Joyce, NSA director of Cybersecurity, said.
This includes journalists, academic scholars, think tank researchers, and government officials, with the ruse primarily designed to single out individuals working on North Korean matters like foreign policy and politics.
The goal of the Kimsuky’s cyber programs, the officials said, is to gain illicit access as well as provide stolen data and valuable geopolitical insight to the North Korean government.
Kimsuky has been observed leveraging open source information to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.
The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages.
“DPRK [Democratic People’s Republic of Korea] actors often use domains that resemble common internet services and media sites to deceive a target,” according to the advisory.
“Kimsuky actors tailor their themes to their target’s interests and will update their content to reflect current events discussed among the community of North Korea watchers.”
Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join TodayThe lure files, when opened, urge the recipients to enable macros, resulting in the provision of backdoor access to the devices through malware such as BabyShark. Additionally, the persistent access is weaponized to stealthily auto-forward all emails landing in a victim’s inbox to an actor-controlled email account.
Another tell-tale sign is the use of “fake but realistic versions of actual websites, portals, or mobile applications” to harvest login credentials from victims.
The development comes weeks after cybersecurity firm SentinelOne detailed Kimsuky’s use of custom tools like ReconShark (an upgraded version of BabyShark) and RandomQuery for reconnaissance and information exfiltration.
Earlier this March, German and South Korean government authorities sounded the alarm about cyber attacks mounted by Kimsuky that entail the use of rogue browser extensions to steal users’ Gmail inboxes.
The alert also follows sanctions imposed by the U.S. Treasury Department against four entities and one individual who are involved in malicious cyber activities and fundraising schemes that aim to support North Korea’s strategic priorities.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
