Researchers are warning of a social engineering campaign by the North Korean APT group known as Kimsuky that is trying to steal email credentials and plant malware. The campaign, which focuses on experts on North Korean affairs, is part of the group’s larger intelligence-gathering operations targeting research centers, think tanks, academic institutions and media outlets worldwide.
“Kimsuky, a suspected North Korean advanced persistent threat group (APT) whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals,” they said researchers from security firm SentinelOne in a report. “Operating since at least 2012, the group often uses targeted phishing and social engineering tactics to gather intelligence and gain access to sensitive information.”
Impersonating a reliable source of North Korea news and policy analysis
In the campaign that SentinelOne analyzed that exemplifies the depth of Kimsuky’s social engineering, the group impersonated the founder of NK News, an American subscription-based news website focused on affairs from North Korea. This is part of Kimsuky’s increasingly common approach of establishing rapport with its targets before delivering a malicious payload.
In this case, the rogue email was sent to victims from a domain name very similar to that of NK News and asked them to review a draft article about the nuclear threat posed by North Korea north If victims answered and responded to the message, the attackers followed up with a URL to a document hosted on Google Docs that then redirected them to a page designed to capture Google credentials.
“The URL destination is manipulated using the HTML href property configuration spoofing technique to point to a website created by Kimsuky,” the researchers said. “This method, commonly used in phishing attacks, creates a discrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website visited when the URL is clicked.”
In fact, the URL shown actually leads to an article on Google Docs on the subject of the North Korean nuclear threat that includes edits and comments to make it look like it really is a work in progress. This shows that the attackers took the time to make their attack as believable as possible. In fact, the phishing page that users land on when they click on the URL mimics the page that Google Docs normally displays when someone needs to request access to a document.
For certain targets conversing with the attackers, the group decides to send weaponized password-protected Word documents that deploy a reconnaissance malware payload called ReconShark. This program probes systems for the presence of known security software and gathers information about the target’s computer that can be used to plan a future attack.
In a separate campaign, the group also sent fake emails with the aim of stealing login credentials for PRO subscriptions on the same NK News website. Fraudulent emails instruct users to review their accounts for security reasons after misuse by alleged attackers. Users are then directed to a phishing site that mimics the real NK News login page.
“Gaining access to these reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to its broader strategic intelligence gathering initiatives,” the SentinelOne researchers said .
Greater focus on policy analysts
This latest campaign overlaps with North Korea’s social engineering activity documented in a joint threat warning issued last week by the US and South Korean governments. In the warning, Kimsuky’s activity is attributed to the Reconnaissance General Bureau (RGB), North Korea’s intelligence agency, which is believed to operate several cyber attack teams.
Kimsuky seems particularly focused on stealing data and gathering geopolitical information valuable to the North Korean government. “Some targeted entities may dismiss the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are unaware of how these efforts feed into cyber espionage efforts wider regime”. note the authors of the report. “However, as noted in this notice, North Korea relies heavily on intelligence obtained by compromised political analysts. In addition, successful compromises allow Kimsuky actors to craft more credible phishing emails and effective that can be leveraged against more sensitive and higher value targets.”
It is worth noting that APT groups associated with the Iranian government use similar tactics of targeting academic researchers, policy analysts, and think tanks through impersonation and well-crafted emails.
Copyright © 2023 IDG Communications, Inc.
Ikaroa, a full stack tech company, is reporting that a North Korean APT group is targeting email credentials through a social engineering campaign. By using a range of tactics such as phishing emails and luring victims to malicious webpages, the group is attempting to gain access to accounts. Once access is granted, the attackers are then able to steal sensitive information and perpetrate other malicious activity.
To protect against this threat, the group is urging users to be vigilant when it comes to online security. Ikaroa recommends taking the following steps to protect yourself and your data:
• Regularly update your Software. Ensure any software, including Operating Systems, web browsers and other applications, are up to date. Outdated versions often contain vulnerabilities that attackers can exploit to gain access to accounts.
• Enable two-factor authentication. Whenever possible, enable two-factor authentication on accounts for an extra layer of security.
• Be aware of phishing emails. Don’t click on links or open attachments from unknown senders, and if something looks suspicious, verify the sender’s identity before taking any action.
• Educate all users. Make sure all users are aware of the tactics attackers use and how to spot suspicious emails and websites.
Ikaroa understands that security is a top priority for businesses of all sizes, and recommends taking the necessary steps to protect yourself against these threats. With the right precautions, businesses can stay ahead of the hackers and protect the valuable data stored in their systems.