North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

December 3, 2024 at 04:52AM

North Korea-aligned Kimsuky is linked to phishing attacks using Russian sender addresses to steal credentials. These attacks, primarily targeting South Korean users, exploit email services and impersonate institutions like Naver. Kimsuky utilizes compromised servers and tools for spoofing to evade security, aiming for account hijacking and further attacks.

### Meeting Takeaways – December 03, 2024

**Subject: Threat Intelligence / Email Security – Kimsuky Threat Actor Update**

1. **Kimsuky Overview**:
– The North Korea-aligned group known as Kimsuky is linked to recent phishing attacks aimed at credential theft.

2. **Phishing Tactics**:
– The attacks began with phishing emails originating from Japanese and Korean email services until early September 2024.
– From mid-September, emails disguised as being from Russian sender addresses were observed.
– Kimsuky exploited the VK’s Mail.ru email service and used multiple domain aliases (e.g., mail.ru, internet.ru) to conduct phishing campaigns.

3. **Targeted Institutions and Techniques**:
– Phishing attempts often mimic trusted entities such as financial institutions and services like Naver.
– Specific attacks included messages appearing to originate from Naver’s MYBOX cloud storage, creating urgency for users to delete supposed malicious files.

4. **Technical Details**:
– Early phishing campaigns utilized high-risk sender domains including “mmbox[.]ru” and “ncloud[.]ru”.
– A compromised email server (Evangelia University) was identified as a source for these phishing emails, utilizing a PHP mailer called Star.
– Kimsuky has a history of using legitimate email tools (e.g., PHPMailer, Star) to enhance the credibility of their phishing attempts.

5. **End Goals and Implications**:
– The ultimate aim of these phishing campaigns is credential theft, enabling attackers to hijack accounts and potentially launch subsequent attacks on other targets.
– Kimsuky is noted for effectively utilizing social engineering techniques and spoofing methods to bypass security measures.

6. **Regulatory Attention**:
– Earlier in the year, the U.S. government highlighted Kimsuky’s exploitation of improperly configured DMARC policies for their phishing activities.

**Action Items**:
– Increase awareness regarding Kimsuky phishing tactics among employees.
– Recommend reviewing and strengthening email security protocols, particularly regarding DMARC settings.

**Follow-Up**: Stay updated on trends by following our social media channels on Twitter and LinkedIn for more insights.

Full Article