The North Korea-linked hacking group tracked as Kimsuky has been exploiting weak email Domain-based Message Authentication, Reporting and Conformance (DMARC) settings to conceal spear phishing attacks, the US government warns.
Crafted DMARC policies have allowed Kimsuky to spoof email messages and pose as legitimate academics, journalists, and experts in Eastern Asian affairs, according to an alert from the FBI, the NSA, and the US Department of State.
“North Korea leverages these spear phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications,” the agencies said.
As part of its cyber program, North Korea is engaging in sustained intelligence-gathering efforts through the Reconnaissance General Bureau (RGB), its premier military intelligence organization. These efforts are focused on maintaining access to intelligence about the US, South Korea, and other countries perceived as political, military, or economic threats to North Korea.
A subdivision of RGB and sanctioned by the US, Kimsuky has been engaging in cyber activities since 2012, and has been responsible for large-scale social engineering campaigns, providing stolen data and valuable geopolitical insight to the Pyongyang regime through the compromise of policy analysts and other experts.
“Successful compromises further enable Kimsuky actors to craft more credible and effective spear phishing emails, which can then be leveraged against more sensitive, higher-value targets,” the US government added.
The agencies said the threat actor conducts well-researched and prepared spear phishing campaigns that may use content from previously compromised email accounts or may leverage fake usernames impersonating individuals from trusted organizations such as education institutions and think tanks.
Spoofed emails are sent from an actor-controlled email address and domain, but the exploitation of improperly configured DMARC policies, which are meant to ensure that emails have been sent from an organization’s legitimate domain, help the adversary deceive their targets.
Individuals associated with Kimsuky-targeted industries are advised to be wary of links and attachments received via email, of content recovered from conversations with other contacts, messages containing incorrect grammar, and communication targeting individuals with direct or indirect knowledge of policy information.
Furthermore, spoofed email accounts, documents that request the user to enable macros, follow-up emails if the recipient did not respond to the initial message, and emails claiming to be from official sources but coming from unofficial email services should also be considered suspicious.
The US government’s alert, which provides sample spear phishing email messages from the North Korean threat actor, also contains recommended mitigations that organizations should implement to prevent the successful delivery of spoofed emails to the intended victims’ inboxes.
Editor’s note: Kimsuky is publicly tracked as APT43, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, THALLIUM, Thallium, and Velvet Chollima.
Related: South Korea Says Hackers Breached Personal Emails of Presidential Staffer
Related: UN Experts Investigating Suspected Billion-Dollar North Korean Cyberattacks
Related: North Korean Hackers Developing Malware in Dlang Programming Language
