Analysis Summary

North Korean threat actors seek to send emails that look as though they are from reliable and authentic sources, according to a recent joint cybersecurity advisory released by the Department of State, the FBI, and the National Security Agency (NSA).

By gaining unauthorized access to targets' private documents, research, and communications, the Democratic People's Republic of Korea (DPRK) uses these spear-phishing campaigns to gather intelligence on geopolitical events, adversary foreign policy strategies, and any information that is in DPRK's interests. In particular, the method involves hiding social engineering attempts by making use of DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record settings that are incorrectly set up. By doing this, the threat actors can send emails that have been spoofing the email server of a valid domain.

A North Korean activity cluster known by the cybersecurity community as Kimsuky (also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima)—a sister collective of the Lazarus Group and an affiliate of the Reconnaissance General Bureau (RGB)—has been implicated in the misuse of lax DMARC policies. According to researchers, Kimsuky started using this technique in December 2023 as part of larger initiatives to ask foreign policy specialists about their thoughts on sanctions, U.S.-South Korea policies, and nuclear disarmament.

The researchers described the adversary as a cunning social engineering expert and stated that the APT group is known to interact with its targets for prolonged periods employing a series of friendly conversations to establish trust with them. The threat group also uses a variety of aliases that mimic DPRK subject matter experts in academia, independent research, think tanks, and journalism.

Targets are frequently asked to send in an email, an official study paper, or an essay with their opinions on these subjects. The threat actors hardly ever use malware or credential harvesting directly on the targets; instead, they first exchange several messages. It is feasible that Kimsuky can obtain the intelligence it needs without the use of infection by asking targets directly for their thoughts or analysis.

A large number of the companies that Kimsuky had spoofed had either disabled or disregarded DMARC policies, which allowed such emails to evade security checks and guarantee delivery even if they were unsuccessful. In addition, Kimsuky has been seen using free email addresses that mimic the same identity in the reply-to section to trick the target into thinking they are speaking with actual staff members.

The threat actor pretended to be a legitimate journalist in one email that the U.S. government exposed. They asked for an interview with an unidentified expert to discuss North Korea's plans to armament nuclear weapons. They made it clear that their email account would be blocked temporarily and asked the recipient to reply to them on their personal email, which was a fake account that mimicked the journalist. This suggests that the journalist's compromised account was the source of the initial phishing message, raising the likelihood that the victim would respond to the other fake account.

It is advised that organizations alter their DMARC rules to direct email servers to handle messages that do not pass the checks as suspicious or spam and to receive reports on aggregate feedback by adding an email address to the DMARC record.

Impact

• Identity Theft
• Unauthorized Access
• Cyber Espionage

Remediation

• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before attackers exploit them.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Kimsuky APT group and other threat actors.