Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
North Korea’s nation-state threat actor is known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the aim of stealing Google credentials and delivering reconnaissance malware.
“Furthermore, Kimsuky’s aims extend to stealing subscription credentials from NK News,” cybersecurity firm SentinelOne said in a report shared with The Hacker News.
“To achieve this, the group distributes emails that lure targeted individuals to the malicious website nknews(.)pro, which masquerades as the genuine NK News site. The login form shown to the target is designed to capture the credentials entered.”
NK Newsfounded in 2011, is an American subscription-based news website providing stories and analysis about North Korea.
The revelations come days after US and South Korean intelligence agencies issued alerts about Kimsuky’s use of social engineering tactics to attack think tanks, academia and the news media sector. Last week, the threat group received sanctions from South Korea’s Foreign Ministry.
Active since at least 2012, Kimsuky is known for his spear-phishing tactics and his attempts to build trust and a relationship with the intended target before delivering malware, a reconnaissance tool called ReconShark.
The ultimate goal of the campaign is to gather strategic intelligence, geopolitical insights and access sensitive information of value to North Korea.
“Their approach highlights the group’s commitment to creating a sense of rapport with the individuals they target, potentially increasing the success rate of their subsequent malicious activity,” said security researcher Aleksandar Milenkoski.
The findings also follow new revelation from the South Korean government that more than 130 North Korean observers had been selected as part of a phishing campaign orchestrated by a government-backed hacking group.
What’s more, with North Korea deriving most of its foreign currency revenue from cyber attacks and cryptocurrency theft, threat actors operating on behalf of the regime’s interests have been scrutinized. scam financial institutions and venture capital firms in Japan, the US, and Vietnam.
Cybersecurity firm Recorded Future linked the activity to a group it is tracking as TAG-71, a subgroup of Lazarus also known as APT38, BlueNoroff, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The adversary collective has an established track record of mounting financially motivated intrusion campaigns targeting cryptocurrency exchanges, commercial banks, and e-commerce payment systems worldwide to illegally extract funds for sanctioned countries.
“Compromising financial and investment companies and their customers could disclose sensitive or confidential information, which could result in legal or regulatory action, jeopardize pending business negotiations or agreements, or disclose information that damages a company’s strategic investment portfolio,” the company noted.
The chain of evidence so far suggests that the Lazarus Group’s motives are espionage and financially driven, with threat actors being blamed for recent events. Atomic Wallet Hack which led to the theft of $35 million worth of crypto assets, making it the latest in a long list of crypto companies to have been hit by hacks over the last few years.
“The laundering of stolen crypto assets follows exactly the same set of steps used to launder the results of past hacks carried out by the Lazarus Group,” blockchain analytics firm said.
“The stolen assets are being laundered using special services, including Sinbad’s mixer, which has also been used to launder the results of past hacks carried out by the Lazarus Group.”
