A new report reveals North Korean hackers are employing social engineering tactics in a bid to steal email credentials and plant malware. Researchers from SentinelOne warn that hackers are targeting experts in North Korean affairs. Kimsuky, the suspected North Korean advanced persistent threat (APT) group behind the attacks, uses targeted phishing and a range of social engineering techniques to gather intelligence, according to the report. For instance, Kimsuky impersonated the founder of an American subscription-based news website focused on North Korean affairs and sent a rogue email from a domain name resembling the publication. Victims who responded and opened a document were then taken to an imitation Google Docs page designed to capture their credentials.
For the targets who engaged with the attackers, the group subsequently sent weaponised password-protected Word documents with a reconnaissance malware payload called ReconShark. The program can probe systems, collect information about the target computer and map out potential future attacks. The group has also been known to adapt a phishing approach in relation to the news website, sending out fake emails with the aim of stealing login credentials for the site.
The researchers note that Kimsuky has a broader intelligence gathering remit that includes other targets such as think tanks, research centres and academic institutions, as well as news outlets around the world. This latest campaign coincides with other North Korean social engineering activity identified in a joint threat advisory issued by the US and South Korean authorities. That report attributed Kimsuky to North Korea’s intelligence agency, the Reconnaissance General Bureau. The findings also indicate that Kimsuky’s attention is particularly focused on stealing data to provide valuable geopolitical insight for Pyongyang.
“Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts,” SentinelOne’s team explained. “However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts.”
It’s worth noting that APT groups believed to be tied to the Iranian government have targeted academic researchers, policy analysts, and think tanks employing similar tactics of targeting them using impersonation and well-crafted emails. The activities of such cyber attackers are part of the wider global challenge posed by the sophisticated practices of state-sponsored cyber threat actors who are determined to remain one step ahead of the security industry.