The Federal Bureau of Investigation (FBI) and its partners have uncovered an ongoing and resolute intelligence-gathering and espionage operation carried out by cyber actors linked to the Democratic People’s Republic of Korea (DPRK).
The DPRK cyber espionage campaign is known to be orchestrated by multiple state-sponsored groups namely Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee.
These groups have set sights on a wide range of high-profile targets, including think tanks, academic institutions, and news media agencies.
Their primary objective is to pilfer valuable data and gather geopolitical insights that could serve the interests of the North Korean regime.
In a collaborative effort to combat cyber threats, a comprehensive Cybersecurity Advisory has been released that sheds light on the intricate workings of Kimsuky actors and highlights key warning signs to look out for.
It also offers practical mitigation measures that organizations can implement to bolster their network security against Kimsuky operations.
What was observed from the DPRK cyber espionage
To gain information and conduct spying activities, North Korean state-sponsored cybercriminals employed computer network exploitation globally. They targeted research centers and news media organizations among others with spearphishing campaigns.
The DPRK cyber espionage campaign involved sending emails while posing as journalists, academics, and other credible entities linked with North Korean policy circles. With this, they gathered the following information –
- Geopolitical events
- Foreign policy strategies
- Diplomatic efforts of the state’s interest
DPRK cyber espionage – State-sponsored cybercrimes
They gained access to private documents, research, and communication from the targets. “North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities,” a Homeland Security news release said.
This DPRK cyber espionage campaign involving information gathering efforts through social engineering was observed by the government of the United States and the Republic of Korea aka South Korea.
Going back to the causes of such criminal activities, an IC3 report read, “North Korea’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities.”
“We assess the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability,” the IC3 report further added.
Profiles of DPRK Cyber Espionage Threat Actors Revealed
Among the threat actors working for North Korea for the cyber espionage were APT43, Thallium, Black Banshee, and Velvet Chollima.
Addressing Kimsuky, another member of the group involved in the DPRK cyber espionage the report read, “Kimsuky is administratively subordinate to an element within North Korea’s RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012.”
Kimsuky deals in stolen data and geopolitical insights for North Korea.
The social engineering emails sent by Kimsuky and others worked on deceiving the target in having them see the threat actors as legitimate officials asking or sending genuine messages.
They often used open-source information to choose and identify potential targets who might have information of value for the DPRK mission of cyber espionage.
Their email address looked legitimate just like the domains that resembled common interest services and media sites. To draw attention and gain trust via email, the Kimsuky would forward emails that would look like a threat to emails.
Explaining this the IC3 report read, “In other cases, a Kimsuky actor will use multiple personas to engage a target; one persona to conduct initial outreach and a second persona to follow-up on the first engagement to distract a potential victim from discerning the identity of the original persona. Another tactic is to “resend” or “forward” an email from a source trusted by a target.”
They even created fake versions of legitimate websites to deceive targets into unknowingly revealing sensitive data for the DPRK cyber espionage by North Korean state-sponsored threat actors.
And used malware called BabyShark which allowed persistent access to the device and quietly auto-forward all emails from the target to the hacker’s email.
Stay Vigilant: Key signs to thwart DPRK cyber espionage
Be cautious as communications may exhibit poor English with sentences that are incorrectly formatted and contain grammar errors.
Take note that the domain and email addresses could be slightly altered from their official counterparts. Additionally, be aware that some communications may incorporate Korean dialect associated with North Korea.
Some emails used for the DPRK cyber espionage also had a link to ‘Enable Macros,’ in order to view the documents in them.