A criminal cyber spy group believed to be backed by the North Korean government poses as journalists, academics and experts to trick its victims into giving out information that can be used for espionage.
It also spoofs websites of legitimate organizations to trick targets into giving out information that can be used in cybercrimes the group carries out to fund itself, according to a new report that tracked the cyber attackers’ operations over five years.
Google Cloud’s cybersecurity subsidiary firm Mandiant classified the group, which it calls APT43 and which it has been monitoring since 2018, as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime.”
The designation of the group as a “named threat actor” indicates that Mandiant’s cyber analysts had enough evidence to attribute activity to a specific group.
APT stands for “advanced persistent threats,” which the firm says are groups that “receive direction and support from an established nation state.”
APT43 has also been called “Kimsuky” or “Thallium” by other firms, which have their own naming conventions. Mandiant believes the firm could be part of North Korea’s main foreign intelligence agency.
“APT43 has demonstrated it can be quite fluid at adapting to the needs of the regime and shifts their targeting accordingly,” Gary Freas, a senior analyst at Mandiant, told RFA.
According to the report, APT43 conducted espionage against South Korean and U.S.-based government organizations, members of academia and think tanks that deal with North Korean geopolitical issues, and engaged in cyber crime to steal and launder crypto currency.
APT43’s most common attack involves impersonating experts or journalists in spear-phishing emails with the goal of getting information out of its victims.
In this scheme, the attacker poses as a reporter or a think tank analyst to collect intelligence, including by asking experts and academics to answer questions on topics related to North Korea. Often the attackers pretend to be people who are well known in their field to develop rapport with others in the field before asking them to provide strategic analysis on specific subjects.
In a sample example provided in the report, an attacker pretended to be a journalist with an email address ending in “@voanews.live,” which is similar to the “@voanews.com” addresses used by journalists working for U.S news outlet Voice of America.
The email requested a reaction to an Oct. 4, 2022, North Korean ballistic missile launch that flew over Japan, including asking the recipient if it meant that another North Korean nuclear test could be imminent, and if Japan might increase its defense budget or pursue a more “proactive” defense policy.
Because the focus of these types of attacks is often North Korean security and nuclear development, Mandiant believes “with moderate confidence” that APT43 operates under the Reconnaissance General Bureau, or RGB, North Korea’s main foreign intelligence service.
“Campaigns attributed to APT43 are closely aligned with state interests and correlate strongly with geopolitical developments that affect Kim Jong-un and the hermit state’s ruling elite,” the report said. “Since Mandiant has been tracking APT43, they have consistently conducted espionage activity against South Korean and U.S.organizations with a stake in security issues affecting the Korean peninsula.”
Mandiant also noted that it detected a shift in the group’s activity between October 2020 and October 2021 toward targeting the health care sector and pharmaceutical companies, likely to gather information to support a North Korean response to COVID-19. This indicates that the group adapts to changing priorities of the North Korean government.
“The kinds of questions we’re seeing them ask when they commission papers and when they ask for interviews are very much about potential responses to different stimuli,” Jenny Town, director of the Washington-based Stimson Center’s 38 North Project, during a discussion about APT43 in a podcast hosted by Mandiant.
“And really, [they’re] trying to better understand how different actions might be perceived, presumably to help them better decide where red lines are,” she said.
Emails indicate objectives
Town, who has herself been targeted by APT43 and impersonated by them when they target others, said that the emails can show what North Korea’s goals might be.
“The questions they’re asking make a lot of sense and give us a sense of the kinds of things they might be thinking of doing as well,” she said. “It’s always been really interesting to see the evolution and what they’ll ask different people.”
Freas said that the questions in the emails often show North Korea’s intent.
“Whenever APT43 goes after people, pretending to be a reporter or prominent analyst, they ask questions that are so specific to the regime’s priority intelligence requirements that they show us their hand,” he said. “This gives us good insight into what’s going on in the closed off nation and that data is very insightful to security vendors and for people that are trying to investigate this.”
Town said that other experts have come to consider it an indication of their success in the field when they are impersonated by what seems to be North Korean cyber attackers.
APT43 has also been known to target organizations for information about sanctions items that are banned for export to North Korea, the report said.
During the same podcast, Mandiant analyst Michael Barnhart said that APT43’s methods tend to work on older victims.
“Some of the younger folk aren’t so [eager] to click on a suspicious link, and so you might not get them quite there,” said Barnhart. “You’re looking at kind of an older crowd that probably has a little less cyber hygiene.”
‘Good at what they do’
“What this group lacks in sophistication they make up for in volume,” said Freas. “It is unique to see the success they are having with such widely known and frequently leveraged techniques.”
Freas explained that APT43 extensively researches people they can spoof and target to reach its goals.
“If APT43 fails with one target or one persona, they simply move onto the next set. They are agile, and we see them spinning up new personas and infrastructure for targeting very quickly, and at scale,” said Freas.
Barnhart said in the podcast that awareness of the group’s methods was necessary for potential victims to protect themselves.
“We’re trying to be proactive. We’re done kind of being reactive. We’re trying to try to get out there and get in front of it and your endpoint protections and stuff like that,” he said. “These guys … they’re good at what they do.”
Besides espionage, the group conducts internal monitoring of other North Korean groups and their operations.
For many years, the cash-strapped North Korean government has ordered government organizations to generate funds for their own operations, in line with North Korea’s founding juche ideology of self-reliance.
For factories or collective farms, this might mean that they sell some of their product on the open market to generate funds for raw materials or farming equipment.
But for APT43, much of their funding comes from crypto currency theft and laundering. To compromise financial data, the group engages in credential collection campaigns.
“In particular, the group registers domains masquerading as popular search engines, web platforms, and cryptocurrency exchanges in relevant target countries of interest,” the report said. “We believe these credentials are used to support operations that further APT43 missions.”
An example in the report showed the spoofed website of Cornell University, which instructed users to sign in with their cornell.edu credentials.
The group has also been known to spoof Google and Yahoo mail and other legitimate sites on domains it controls, to host “malicious scripts and tools,” said an advisory about the group published in 2020 by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
APT43 launders the ill-gotten cryptocurrency to mine for new cryptocurrency that can’t be traced back to the theft.
“In other words, they use stolen crypto to mine for clean crypto,” the report said.
Unlike other groups that engage in cybercrime, APT43 seems to be funding itself rather than generating income for the North Korean regime, which Mandiant said suggests a “widespread mandate” for government-backed groups to remain operational without resources from the central government.
Cyber attacks are the North Korean leadership’s “all-purpose sword,” and a weapon of mass destruction second only to Pyongyang’s nuclear weapons, said Daniel Russel, former assistant secretary of state for East Asian and Pacific affairs and current vice president for international security and diplomacy at the New York-based Asia Society Policy Institute.
“For the DPRK, cyber is a high-impact, low-cost, and low-risk digital-age tool for stealing cash and cryptocurrency, hacking secrets, and for terrorizing wired nations,” Russel told RFA’s English Service. “APT43 is part of a large, elite corps of highly trained cyber hackers that has likely already stolen billions of dollars, blunting the effect of sanctions.”
Russel said that North Korea has also experimented with cyberattacks against infrastructure overseas.
“Developed countries with sophisticated urban, aviation, communications, and electrical infrastructure are particularly vulnerable,” he said, adding that cyber attacks can be camouflaged so that they are hard to attribute to a particular country or entity. “It is no accident that North Korean hackers are embedded in China and Russia, utilizing servers in those countries to make retaliation by the United States risky.”
Russel said developing cyber capabilities can be done inexpensively, using widely available equipment.
“The spotlight on hacker groups like APT43 is essential, both as a warning to potential targets but also to galvanize cybersecurity companies to defend against their malicious attacks,” said Russel.
Edited by Boer Deng and Malcolm Foster.