NSA warns users about email attacks by N. Korean hacker group
FBI and NSA say a North Korean hacker group known as Kimsuky used malware to gain unauthorized access to organizations’ email domains by posing as authorized users
The U.S. government warned on Thursday that a North Korean hacking group is targeting academic institutions, think tanks, nonprofit organizations, and journalists via poorly configured email servers.
According to a joint advisory from the State Department, FBI, and NSA, the group known as Kimsuky is using malware to gain unauthorized access to the email domains of organizations while posing as authorized users.
The Reconnaissance General Bureau, or RGB, the DPRK’s military intelligence directorate, is believed to house Kimsuky, a cybercrime unit. Cybersecurity researchers in the private sector have given it alternative designations such as Emerald Sleet, APT43, and Velvet Chollima.
Hackers use phishing emails to spread fraudulent content. Once the sham hacker establishes the semblance of a normal user-hacker correspondence, they proceed to transmit subsequent replies that contain malicious links and attachments capable of extracting the recipients’ confidential information.
A Kimsuky operative at one point pretended to be a journalist in order to solicit commentary on North Korea-related geopolitical issues. The sham reporter skillfully altered the “Reply-to” email address due to inadequate configuration, thereby redirecting the responses from the compromised account to an account under North Korea’s control.
The vulnerability originates from the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol, which enables system administrators to inhibit phishing and spoofing attempts by regulating unauthorized use of email domains.
Specific indicators, such as misspellings, awkward sentence structure in English, and duplicate email content discovered in prior correspondences with other victims, may assist targeted organizations in identifying the fraudulent emails, according to the advisory. However, it also recommends that organizations modify their DMARC policies, such as relabeling spam messages that fail to match account domains via re-coding configurations.
Deep-running schemes that finance Pyongyang’s nuclear weapons program are being executed by North Korean shadow operatives who have been planted within companies around the world while posing as legitimate IT personnel. Clutch cryptocurrency transactions have enabled them to fund the programs, and according to public U.S. assessments, the schemes have financed approximately fifty percent of the DPRK’s missile projects.
In November, under the pretext that the group conducted intelligence gathering in support of Pyongyang’s national interests, the Treasury Department sanctioned eight North Korean agents who facilitated revenue generation for the country’s nuclear missile activities, in addition to Kimsuky.
According to a February U.S. intelligence assessment, the nation’s cyber forces have reached maturity and will “continue its ongoing cyber campaign, particularly cryptocurrency heists; seek a broad range of approaches to launder and cash out stolen cryptocurrency; and maintain a program of IT workers serving abroad to earn additional funds.”
Source: Newsroom