US and South Korean intelligence agencies have issued new warnings about the use of social engineering tactics by North Korean cyber actors to attack think tanks, academia and the news media sector.
“Ongoing information gathering efforts” have been associated with the so-called state-sponsored cluster Kimsukywhich is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball, and Velvet Chollima.
“North Korea relies heavily on intelligence gleaned from this spear-phishing campaign,” the agency said said. “Successful compromise of targeted individuals allowed Kimsuky actors to create more credible and effective spear-phishing emails that could be leveraged against sensitive and high-value targets.”
Kimsuky refers to an auxiliary element within North Korea’s General Bureau of Reconnaissance (RGB) and is known for gathering tactical intelligence on geopolitical events and negotiations affecting regime interests. It is known to be active since at least 2012.
“These cyber actors strategically masquerade as legitimate sources to gather intelligence on geopolitical events, foreign policy strategies, and security developments of interest to the DPRK on the Korean Peninsula,” said Rob Joyce, NSA’s director of Cybersecurity.
This includes journalists, academic scholars, think tank researchers, and government officials, with gimmicks primarily designed to select individuals working on North Korean issues such as foreign policy and political experts.
The goal of Kimsuky’s cyber program, officials said, was to gain illicit access and provide the North Korean government with stolen data and valuable geopolitical insights.
Kimsuky has been observed utilizing open source information to identify potential targets of interest and then make their online personas appear more legitimate by creating email addresses that resemble the email addresses of real individuals they wish to impersonate.
Adopting false identities is a tactic embraced by other state-sponsored groups and is seen as a way to gain trust and build rapport with victims. Adversaries have also been known to compromise e-mail accounts of impersonated individuals to concoct convincing e-mail messages.
“DPRK (Democratic People’s Republic of Korea) actors frequently use domains that mimic common internet services and media sites to deceive targets,” according to the advisory.
“Kimsuky actors adapt their themes to their target interests and will update their content to reflect current events discussed among the North Korea watchdog community.”
In addition to using multiple personas to communicate with targets, emails include malicious documents that are password protected, either attached directly or hosted on Google Drive or Microsoft OneDrive.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The lure file, when opened, urges recipients to activate macros, resulting in providing backdoor access to the device via malware such as BabyShark. Additionally, perpetual access is armed to surreptitiously forward all emails that land in the victim’s inbox to an actor’s controlled email account.
Another sign is the use of “fake but realistic versions of actual websites, portals, or mobile applications” to retrieve login credentials from victims.
This development comes weeks after cybersecurity firm SentinelOne detailed Kimsuky’s use of custom tools such as ReconShark (an enhanced version of BabyShark) and RandomQuery for reconnaissance and information exfiltration.
Earlier this March, German and South Korean government authorities sounded the alarm about a cyber attack carried out by Kimsuky that required the use of a rogue browser extension to steal a user’s Gmail inbox.
The warning also follows sanctions imposed by the US Department of the Treasury against four entities and one individual involved in malicious cyber activity and fundraising schemes aimed at supporting North Korea’s strategic priorities.