Several U.S. intelligence departments, working with key agencies in South Korea, warn that North Korean state-sponsored actors continue to use social engineering to target employees of think tanks, academic institutions and the news media.
The FBI, State Department, National Security Agency and Cybersecurity and Infrastructure Security Agency recently issued an advisory. The North Korean cyber actors are known to conduct “spearphishing” campaigns posing as real journalists, academics or other individuals with credible links to North Korean policy circles.
The North Koreans use social engineering to collect intelligence on geopolitical events, foreign policy strategies and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets, the FBI said.
The U.S. and South Korea governments, along with private-sector cybersecurity companies, are tracking a specific set of North Korean cyber actors conducting large-scale social engineering campaigns that include Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee. Kimsuky is among the groups conducting large-scale social engineering campaigns.
The joint advisory provides detailed information on how Kimsuky actors operate, red flags to consider and general mitigation measures for entities to implement to better protect against Kimsuky’s CNE operations.
“North Korea has been ramping up attacks over the past year,” says Tom Kellermann, senior vice president of cyber strategy at Contrast Security and former member of the Commission on Cybersecurity under President Barack Obama’s administration. “It is noteworthy that North Korea’s nuclear program is largely funded by their cybercrime campaigns.
“This advisory is important due to the systemic nature of the attacks and their shift in targeted entities,” Kellermann notes. “The best practices highlighted in the advisory are thoughtful and prudent.”
Attacks have many purposes
The FBI said some targeted entities may discount the threat posed by the campaigns because they don’t perceive their research and communications as sensitive in nature, or they aren’t aware of how the efforts fuel the regime’s broader cyber espionage efforts.
Most people associate cybercrime with financial theft, but that isn’t always the goal -- especially when nation-states are involved, says Erich Kron, a security awareness advocate at KnowBe4. The FBI notes that North Korea relies heavily on intelligence gained by compromising policy analysts, the U.S. said.
“Sometimes intellectual property or even intelligence on military or high-value civilian programs is more valuable than just making a few dollars in a scam,” Kron says. “Because modern think tanks and universities store so much information digitally, it makes stealing that information much easier than when spies had to be outfitted with specialty equipment and microfilm cameras,” he notes. “These modern-day digital spies are extremely well trained and efficient at stealing sensitive or valuable information.”
Because the initial network access often occurs through simple social engineering attacks such as email and phishing, organizations that handle or deal with this kind of sensitive information “should ensure that employees are educated and trained on how to spot and report these types of attacks before the attackers can be successful,” Kron notes.
“Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets,” the FBI warned.
Mike Stokkel, senior threat intelligence analyst at Fox-IT, part of NCC Group, says the organization’s Group Threat Intelligence team has observed spearphishing attempts from the Kumsuky towards journalists heavily involved in North Korea’s development. The group has also observed victims among professors specialized in nuclear science or even Korean history at universities.
“Even now, Kimsuky exposes their potential interest by registering new domains for their phishing/social engineering attempts,” says Stokkel. “For example, Ministry of Foreign Affairs, Foreign Policy Research Institutes, and Ministries of Unification/Universities.
“Just like other North Korean adversaries, Kimsuky has become better and more persistent when it comes to spearphishing and social engineering. In many cases, they make the effort to learn more about their targets and their relationships. By gathering more information about their targets, they have shown an increase in the effectiveness of their phishing techniques.”
Although North Korea is heavily invested in targeting organizations/individuals in sectors such as education, governments, nuclear research, news and media, “this focus can quickly change depending on the interests of the North Korean regime,” Stokkel notes. “For example, we saw a sudden increase from North Korean threat actors targeting the medical sector during the COVID crisis.”
“In addition to the guidance provided in the joint cybersecurity advisory, we also suggest that organizations gain a good understanding of their threat landscape. In many cases, they’re not aware of the potential interest by nation-state adversaries in their operating sector or line of work. It is also important to keep this information updated over time, as the growth in customers or relationships/partnerships could increase the risk of being targeted.”