Intelligence and law enforcement agencies in the United States and South Korea have issued a warning about the North Korean state-sponsored hacking group Kimsuky (aka APT43, Thallium, and Velvet Chollima), which has been targeting individuals in research centers, think tanks, academic institutions, and news media organizations in spear phishing campaigns, often posing as journalists, academics, and other individuals with credible links to North Korean policy circles.
The hackers use social engineering techniques to gain access to email accounts and networks to steal documents, research, and communications, which are used to fuel North Korea’s broader cyber offensive efforts. These attacks allow the threat actors to gather extensive intelligence to help them craft more convincing spear phishing emails to attack higher-value targets.
According to the cybersecurity alert issued by the Federal Bureau of Investigation (FBI), the US Department of State, the National Security Agency (NSA), the Republic of Korea’s National Intelligence Service (NIS), the National Police Agency (NPA), and the Ministry of Foreign Affairs (MOFA), Kimsuky hackers put a considerable amount of time and effort into their spear-phishing attacks.
The hackers create email accounts that closely resemble the legitimate accounts of the individuals they impersonate, with only subtle differences from the impersonated individual’s legitimate email address. The phishing emails are well crafted and contain realistic content, so much so that they are difficult to differentiate from genuine communications. Intercepted email communications include messages where journalists and academics are impersonated and questions are asked about current political events in the Korean peninsula, North Korea’s weapons program, or other current events.
Some of the emails request interviews, participation in surveys, or ask the target to review reports and documents. It is common for the initial emails to be free of any malicious content, with the initial contact seeking to establish a channel of communication. The malicious content is often sent a few days later in a follow-up message. The aim is to obtain credentials to gain access to accounts and devices. In some of the attacks, multiple personas are used, with one used to establish initial content before the second phase of the attack is conducted using a different persona.
When malicious documents are used in the attack they are often password protected to prevent analysis by security solutions. In some of the attacks, Kimsuky uses realistic but spoofed websites, portals, or mobile applications, to which targets are directed and tricked into providing their credentials, with the malware BabyShark commonly deployed to maintain persistent access to victims’ communications.
The alert provides several red flag indicators to look out for, samples of email communications that have been intercepted, along with a list of recommended mitigations to improve defenses against these spear phishing emails.