Mandiant has revealed a new North Korean APT group that uses cryptocurrency theft to fund the Kim Jong-un regime’s primary goal of cyber espionage.
APT43 is a prolific state actor whose activities have been publicly reported to be sometimes attributed to ‘Kimsuky’ or ‘Thallium’. It is apparently related to North Korea’s main foreign intelligence agency, the Reconnaissance General Bureau (RGB).
This group is notorious for its prolific spear-phishing campaigns fueled by “aggressive” social engineering and spoofed domains/email addresses. Mandiant said the ultimate goal is to collect information in line with foreign policy and nuclear security issues, but may have switched to healthcare targets in 2021 as a result of the pandemic.
Its primary targets are South Korean and US-based government agencies, academics, and think tanks focused on South Korean geopolitical issues.
Read more about North Korean APT groups: Norway seizes millions in North Korean crypto.
The group creates many impersonations and fake personas for their social engineering efforts, sometimes using them to hide their identity to purchase operational tools and infrastructure. Mandiant claimed to engage targets for weeks, sometimes tricking victims into surrendering information without even needing to deploy malware.
As Michael Barnhart, Mandiant Principal Analyst at Google Cloud, explains:
“We have seen APT43 be very successful with these fake reporter emails, resulting in a high success rate in eliciting a response from the target. serves as a reminder to verify the address and identity of
Perhaps most interestingly, the group is self-funded and targets individual victims rather than cryptocurrency exchanges to monetize its state-focused activities, Mandiant said. claimed.
One such effort used a malicious Android app to target what appeared to be Chinese users looking for cryptocurrency loans. Mandiant has also tracked her 10 million “phishing NFTs” delivered to cryptocurrency users on multiple blockchains since June 2022.
Mandiant principal analyst Joe Dobson said, “By spreading an attack over hundreds, if not thousands, of victims, the activity is less noticeable and less noticeable than attacking one large target. It will be difficult to track,” he claims.
“The pace of their execution, coupled with their success rate, is staggering. Considering that there is
APT43 also uses hash rentals and cloud mining services to launder stolen cryptocurrencies into clean cryptocurrencies.
“Imagine that you have stolen millions of dollars of gold. While everyone is looking for the stolen gold, you pay silver miners with the stolen gold to mine the silver. Similarly, APT43 deposits stolen cryptocurrencies with various cloud mining services to mine other cryptocurrencies,” explains Barnhart.
“For a small fee, North Korea will take clean, untracked currency and do what they want. are very likely using the same service to launder money illegally.”
