US and South Korean intelligence agencies have issued new warnings that North Korean cyber attackers are using social engineering tactics to attack think tanks, academia and the press.
The “continuous intelligence gathering” is believed to be what is called state-sponsored clusters. KimskiAPT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball, and Velvet Chollima.
“North Korea relies heavily on information obtained from these spear-phishing campaigns,” the official said. “Successfully compromising targeted individuals has enabled Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive and high-value targets. increase.”
Kimsky refers to an ancillary element within the North Korean Reconnaissance General Bureau (RGB), known for gathering tactical intelligence on geopolitical events and negotiations that affect regime interests. He is known to have been active since at least 2012.
“These cyber attackers are masquerading as strategically legitimate sources of intelligence, and they are disguising geopolitical events on the Korean Peninsula, foreign policy strategies, and security concerns of North Korea’s interest,” said Rob Joyce, director of the NSA’s cybersecurity division. We are gathering information on the developments of
This includes journalists, academics, think-tank researchers, and government officials, and the ploy is primarily aimed at singled out individuals working on North Korea issues, such as foreign policy and political experts.
Officials say the purpose of Kimski’s cyber program is not just to gain unauthorized access, but to provide the North Korean government with stolen data and valuable geopolitical insights.
Kimsuky utilizes open source information to identify potential targets of interest and then creates email addresses that resemble the email addresses of real individuals it seeks to impersonate, thereby making them appear more legitimate. have been observed creating online personas in
Employing impersonation identities is a tactic employed by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with victims. Attackers have also been known to compromise email accounts of impersonated individuals to forge compelling email messages.
“north korea [Democratic People’s Republic of Korea] Attackers often use domains that resemble popular Internet services and media sites to deceive their targets,” the advisory states.
“Kimsky actors will tailor themes to the interests of their target audience and update content to reflect current events being discussed in the North Korea watchers community.”
In addition to using multiple personas to communicate with the target, the electronic communication has password-protected malicious documents either directly attached or hosted on Google Drive or Microsoft OneDrive.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This decoy file, when opened, prompts the recipient to enable macros, thus providing backdoor access to the device via malware such as BabyShark. Additionally, persistent access is weaponized to surreptitiously auto-forward all emails that arrive in the victim’s inbox to her attacker-controlled email account.
Another telltale sign is that “fake but realistic versions of real websites, portals, or mobile applications” are being used to collect login credentials from victims.
The development comes weeks after cybersecurity firm SentinelOne detailed Kimsuky’s use of custom tools such as ReconShark (an upgraded version of BabyShark) and RandomQuery for reconnaissance and information leaks.
Earlier this March, government officials in Germany and South Korea sounded the alarm about Kimsuky cyberattacks involving stealing users’ Gmail inboxes using rogue browser extensions.
The warning follows sanctions imposed by the U.S. Treasury Department on four entities and one individual involved in malicious cyber activities and fundraising schemes aimed at supporting North Korea’s strategic priorities. is also followed.
