North Korean nation-state threat actor known as Kimski It is believed to be associated with a social engineering campaign targeting North Korea experts aimed at stealing Google credentials and delivering reconnaissance malware.
“Furthermore, Kimski’s motives extend to stealing subscription credentials from NK News,” cybersecurity firm SentinelOne said in a report shared with HackerNews.
“To accomplish this, the group distributes emails that log targeted individuals into the malicious website nknews.[.]pro masquerades as a genuine NK news site. The login form displayed to the target is designed to capture entered credentials. “
Founded in 2011, NK News is an American subscription-based news website that provides articles and analysis on North Korea.
The revelations come days after U.S. and South Korean intelligence agencies issued warnings that Kimsky was using social engineering tactics to attack think tanks, academia and the press. Last week, the threat group was sanctioned by South Korea’s Ministry of Foreign Affairs.
Kimsuky has been active since at least 2012 and is known for its spear-phishing tactics and attempts to establish trust and relationships with intended targets before distributing malware (a reconnaissance tool called ReconShark). .
The campaign’s ultimate goal is to gather strategic intelligence, geopolitical insights, and gain access to classified information of value to North Korea.
Security researcher Aleksandar Milenkoski said, “Their approach underscores the group’s efforts to build a trusting relationship with the targeted individual, which may reduce the success rate of subsequent malicious activity. It has the potential to increase,” he said.
The findings also follow new South Korean government revelations that more than 130 North Korean watchers have been named as part of a phishing campaign organized by a government-backed hacking group.
Furthermore, North Korea derives a significant portion of its foreign currency revenue from cyberattacks and cryptocurrency heists, and threat actors acting on behalf of the regime’s interests masquerade as financial institutions and venture capital firms in Japan, the United States, and Vietnam. observed to exist. .
Cybersecurity firm Recorded Future has linked this activity to a group tracked as TAG-71, a subgroup of Lazarus also known as APT38, BlueNoroff, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
The hostile group has a track record of stepping up financial intrusion campaigns targeting cryptocurrency exchanges, commercial banks and e-commerce payment systems around the world to illegally withdraw funds from sanctioned countries. I have.
“Compromises of financial and investment firms and their customers may result in exposure of confidential and sensitive information, resulting in legal and regulatory action, and jeopardizing pending business deals and contracts. or leak information that could damage a company’s strategic investment portfolio,” the company said.
The body of evidence so far suggests that the Lazarus Group’s motives are both espionage and financial. What the hell is going on with the attackers being blamed in recent incidents? atomic wallet hack That led to the theft of $35 million worth of crypto assets, making it the latest in a long list of crypto companies to be hacked in the past few years.
“The laundering of stolen crypto assets follows a set of procedures that are exactly consistent with those employed to launder the proceeds of past hacks carried out by the Lazarus Group,” said the blockchain analytics firm.
“Stolen assets have been laundered using specific services such as Sinbad Mixer, and these services have also been used to launder the proceeds of previous hacks carried out by the Lazarus Group.”
