May 3, 2024 at 12:15PM
The US government warns of North Korea-linked hacking group Kimsuky exploiting weak email DMARC settings to conceal spear phishing attacks. They collect intelligence on geopolitical events and maintain access to information affecting North Korean interests. Kimsuky has been engaging in cyber activities since 2012 and conducts well-researched spear phishing campaigns. The government advises targeted industries to remain vigilant.
From the meeting notes, it is clear that the North Korea-linked hacking group known as Kimsuky has been exploiting weak email Domain-based Message Authentication, Reporting and Conformance (DMARC) settings to carry out spear phishing attacks. The US government has issued an alert, in collaboration with the FBI, the NSA, and the US Department of State, warning about Kimsuky’s tactics.
Kimsuky has been using crafted DMARC policies to spoof email messages and impersonate legitimate academics, journalists, and experts in Eastern Asian affairs. This has allowed them to carry out spear phishing campaigns to collect intelligence on geopolitical events, foreign policy strategies, and other information affecting North Korean interests. The cyber program is conducted through the Reconnaissance General Bureau (RGB), with a focus on intelligence gathering related to the US, South Korea, and other perceived threats to North Korea.
Kimsuky, operating as a subdivision of RGB, has been engaged in cyber activities since 2012 and is responsible for large-scale social engineering campaigns. These activities provide stolen data and valuable geopolitical insight to the Pyongyang regime by compromising policy analysts and other experts. The threat actor conducts well-researched and prepared spear phishing campaigns, leveraging compromised email accounts and spoofed emails to deceive their targets.
In response to these threats, individuals associated with Kimsuky-targeted industries are advised to be cautious of suspicious links and attachments received via email, incorrect grammar in messages, and communication targeting individuals with direct or indirect knowledge of policy information. Additionally, spoofed email accounts, documents that request the user to enable macros, follow-up emails, and emails claiming to be from official sources but coming from unofficial email services should be considered suspicious.
The US government’s alert contains sample spear phishing email messages from the threat actor and includes recommended mitigations that organizations should implement to prevent the successful delivery of spoofed emails.
Editor’s note: Kimsuky is publicly tracked as APT43, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, THALLIUM, Thallium, and Velvet Chollima.
Related: South Korea Says Hackers Breached Personal Emails of Presidential Staffer
Related: UN Experts Investigating Suspected Billion-Dollar North Korean Cyberattacks
Related: North Korean Hackers Developing Malware in Dlang Programming Language