A criminal cyber espionage group believed to be backed by the North Korean government. masquerades as journalists, academics, and experts to trick its victims into providing information that can be used for espionage.
It also spoofs websites of legitimate organizations to trick targets into providing information that can be used in cybercrimes the group carries out to finance itself, according to a new report that tracked the operations of cyber attackers for five years.
Google Cloud’s cybersecurity subsidiary firm Mandiant classified the group, which it calls APT43 and which it has been monitoring since 2018, as a “moderately sophisticated cyber operator that supports the interests of the North Korean regime.”
The group’s designation as a “designated threat actor” indicates that Mandiant’s cyber analysts had sufficient evidence to attribute the activity to a specific group.
APT stands for “advanced persistent threats,” which the firm says are groups that “receive direction and support from an established nation state.”
APT43 has also been called “Kimsuky” or “Thallium” by other companies, which have their own naming conventions. Mandiant believes the firm could be part of North Korea’s main foreign intelligence agency.
“APT43 has shown that it can be quite fluid to adapt to the needs of the regime and changes its orientation accordingly.” Gary Freas, a senior analyst at Mandiant, told RFA.
According to the report, APT43 conducted espionage against South Korean and United States government organizations, academia, and think tanks dealing with North Korean geopolitical issues, and engaged in cybercrime to steal and launder cryptocurrency.
posing as experts
The most common APT43 attack involves impersonating experts or journalists in phishing emails in order to obtain information from its victims.
In this scheme, the attacker poses as a reporter or think tank analyst to gather intelligence, including asking experts and academics to answer questions on North Korea-related topics. Attackers often pretend to be well-known people in their field to develop a relationship with others in the field before asking them to provide strategic analysis on specific topics.
In a sample example provided in the report, an attacker impersonated a journalist with an email address ending in “@voanews.live”, which is similar to the “@voanews.com” addresses used by journalists. who work for the US news outlet Voice. from America.
The email requested a reaction to a North Korean ballistic missile launch on October 4, 2022 that flew over Japan, including asking the recipient whether it meant that another North Korean nuclear test might be imminent, and whether Japan could increase your defense budget or continue. a more “proactive” defense policy.
Because the focus of these types of attacks is often North Korea’s security and nuclear development, Mandiant believes “with moderate confidence” that APT43 operates under the General Reconnaissance Office, or RGB, the main foreign intelligence service. from North Korea.
“The campaigns attributed to APT43 are closely aligned with state interests and strongly correlate with geopolitical developments affecting Kim Jong-un and the hermit state’s ruling elite,” the report says. “Since Mandiant has been tracking APT43, they have consistently carried out espionage activities against South Korean and US organizations interested in security issues affecting the Korean Peninsula.”
Mandiant also noted that it detected a shift in the group’s activity between October 2020 and October 2021 toward the healthcare sector and pharmaceutical companies, which will likely collect information to support a North Korean response to COVID-19. This indicates that the group is adapting to the changing priorities of the North Korean government.
“The kinds of questions we see them ask when they commission articles and when they request interviews have a lot to do with possible responses to different stimuli,” Jenny Town, director of the 38 North Project at the Washington-based Stimson Center, during a discussion on APT43 at a podcast hosted by Mandiant.
“And really, (they are) trying to better understand how different actions might be perceived, presumably to help them better decide where the red lines are,” he said.
Emails Indicate Goals
Town, who herself has been targeted by APT43 and has impersonated them when targeting others, said the emails can show what North Korea’s targets might be.
“The questions they ask make a lot of sense and give us an idea of the kinds of things they might be thinking about doing as well,” he said. “It’s always been very interesting to see the evolution and what they will ask different people.”
Freas said the questions in the emails often show North Korean intent.
“Every time APT43 goes after people, posing as a prominent reporter or analyst, they ask questions that are so specific to the regime’s priority intelligence requirements that they show us their hand,” he said. “This gives us a good insight into what is happening in the closed nation and that data is very useful for security vendors and for people trying to investigate this.”
Town said other experts have come to see it as an indication of their success in the field when they pose as what appear to be North Korean cyber attackers.
APT43 has also been known to target organizations for information on sanctions items that are prohibited for export to North Korea, according to the report.
During the same podcast, Mandiant analyst Michael Barnhart said that APT43’s methods tend to work on older victims.
“Some of the younger people aren’t as (eager) to click on a suspicious link, so they may not get there,” Barnhart said. “You’re looking at an older crowd who probably have a little less cyber hygiene.”
‘Good at what they do’
“What this group lacks in sophistication, they make up for in volume,” Freas said. “It’s unique to see the success they’re having with such widely known and frequently exploited techniques.”
Freas explained that APT43 thoroughly investigates the people it can fake and target to achieve its goals.
“If APT43 misses a target or a person, they just move on to the next set. They are agile and we see them creating new people and infrastructure for guidance very quickly and at scale,” Freas said.
Barnhart said on the podcast that it was necessary to know the group’s methods in order for potential victims to protect themselves.
“We are trying to be proactive. We are done being reactive. We are trying to come out and get in front and their endpoint protections and things like that,” she said. “These guys…they are good at what they do.”
In addition to espionage, the group does internal monitoring of other North Korean groups and their operations.
laundering of cryptocurrencies
For many years, the cash-strapped North Korean government has directed government organizations to generate funds for their own operations, in line with North Korea’s founding juche ideology of self-reliance.
For factories or collective farms, this could mean that they sell part of their produce on the open market to generate funds for raw materials or farm equipment.
But for APT43, much of their funding comes from cryptocurrency theft and laundering. To compromise financial data, the group engages in credential harvesting campaigns.
“In particular, the group registers domains posing as popular search engines, web platforms, and cryptocurrency exchanges in relevant countries of interest,” the report says. “We believe these credentials are used to support operations that further APT43 missions.”
An example in the report showed the spoofed Cornell University website instructing users to log in with their cornell.edu credentials.
The group is also known to spoof Google and Yahoo mail and other legitimate sites on domains it controls, to host “malicious scripts and tools,” said an advisory about the group published in 2020 by the Cyber and Infrastructure Security. from the US Department of Homeland Security Agency.
APT43 launders ill-gotten cryptocurrency to extract new cryptocurrency that cannot be traced back to the theft.
“In other words, they use stolen cryptocurrency to mine clean cryptocurrency,” the report says.
Unlike other cybercrime groups, APT43 appears to be self-funding rather than generating revenue for the North Korean regime, which Mandiant says suggests a “widespread mandate” for government-backed groups to remain operations without resources from the central government.
‘All Purpose Sword’
Cyberattacks are the “multipurpose sword” of North Korea’s leadership and a weapon of mass destruction second only to Pyongyang’s nuclear weapons, said Daniel Russel, former assistant secretary of state for East Asian and Pacific Affairs and current vice president for international security and diplomacy at the New York-based Asia Society Policy Institute.
“For the DPRK, cyber is a high impact, low cost and low risk digital age tool to steal cash and cryptocurrency, hack secrets and terrorize connected nations,” Russel told the RFA English Service. “APT43 is part of a large, elite corps of highly-trained hackers that has probably already stolen billions of dollars, mitigating the effect of sanctions.”
Russell said North Korea has also experimented with cyberattacks against infrastructure abroad.
“Developed countries with sophisticated urban, aviation, communications and electrical infrastructure are particularly vulnerable,” he said, adding that cyberattacks can be camouflaged so that they are difficult to attribute to a particular country or entity. “It is no coincidence that North Korean hackers are embedded in China and Russia, using servers in those countries to make US retaliation risky.”
Russell said building cyber skills can be done cheaply, using widely available equipment.
“The spotlight on hacker groups like APT43 is essential, both as a warning to potential targets and to encourage cybersecurity companies to defend against their malicious attacks,” said Russel.
Edited by Boer Deng and Malcolm Foster.
