Security researchers have discovered a new social engineering campaign orchestrated by a North Korean Advanced Persistent Threat (APT) group known as Kimsuky.
The campaign, described in an advisory released by SentinelOne on Tuesday, specifically targets experts on North Korean affairs, with the goal of stealing credentials and gathering strategic intelligence.
The SentinelOne article states, “Social engineering tactics and some infrastructure features were privately reported by PwC and closely related to Kimski’s activities discussed in the NSA advisory published during the writing of this article.” I am doing it.”
The primary goal of the attack is to steal Google and subscription credentials from a prominent North Korea-focused news and analytics service.
To achieve this goal, Kimsuky employs sophisticated tactics such as large-scale email exchanges, URL spoofing, and the use of reconnaissance malware called ReconShark.
Read more about North Korea’s APT: Experts warn of self-funded North Korean group APT43
In particular, SentinelOne observed Kimsuky actors impersonating Chad O’Carroll, founder of NK News and its affiliated holding company Korea Risk Group, to initiate contact.
They emailed the target requesting a review of a draft paper analyzing the North Korean nuclear threat. If the target is in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL of her to a Google document and redirect to a malicious website with Google credentials.
Additionally, Kimski distributed emails that logged targeted individuals into a fake NK News website with the intent of stealing subscription credentials.
Advised by SentinelOne, the campaign highlights Kimski’s dedication to social engineering and growing interest in strategic intelligence gathering.
“Having access to such reports would provide Mr. Kimsky with valuable insight into how the international community assesses and interprets North Korea-related developments, and could be used by broader strategic intelligence-gathering efforts.” could contribute to the
SentinelLabs concluded its advisory by urging organizations and individuals to remain vigilant and take appropriate security measures to mitigate the risks posed by Kimsuky’s persistent social engineering attacks.
The disclosure comes a few weeks after SentinelOne published another advisory describing a global spear phishing campaign carried out by Kimsuky.
