Share this article on:
The state-backed actor has been observed taking advantage of poorly configured DMARC policies to conceal a new spear phishing campaign.
US government agencies have released an advisory warning of a new social engineering campaign operated by Kimsuky, a threat group backed by the Democratic People’s Republic of Korea.
The advisory – released by the FBI, Department of State, and National Security Agency – warns that the North Korean hackers are exploiting poorly configured DNS Domain-based Message Authentication, Reporting and Conformance protocols – or DMARC.
DMARC policies determine what happens when email authentication fails; a threat actor can spoof legitimate domain name servers and send emails seemingly from that legitimate organisation.
Kimsuky has been observed gathering open-source intelligence on its targets and creating entire personas as part of this latest spear phishing campaign.
“In addition to convincing email messages, Kimsuky cyber actors have been observed creating fake usernames and using legitimate domain names to impersonate individuals from trusted organisations, including think tanks and higher education institutions, to gain trust and build rapport with email recipients,” the agencies said in the joint advisory.
Using these techniques, North Korean state actors have posed as real academics, journalists and “other experts in east Asian affairs with credible links to North Korean policy circles”.
The spear phishing campaign revolves around emails sent to government organisations in both the US and other countries, posing as journalists seeking comment on international events or inviting experts on global politics to attend speaking events – even going so far as to offer a speaker’s fee. Follow-up emails establish trust before using what they’ve learnt from one individual to target another.
Kimsuky’s particular mission is to “provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts”.
“The authoring agencies of this advisory assess the principal goals of North Korea’s regime cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any perceived political, military, or economic threat to the regime’s security and stability,” the agencies said.
Mandiant senior analyst Gary Freas said the campaign allows North Korea to stay ahead of US sanctions.
“This has allowed them to target prominent entities in specialised fields and gather high-priority information for the North Korean regime by spoofing legitimate users’ email addresses from legitimate organisations to contact victims. It’s a rampant, but easy problem to fix,” Freas said.
“Their tactic allows them to collect information about upcoming sanctions from Western governments, as well as gather knowledge around nuclear deterrence and weaponisation responses from the US and its allies so the regime can better prepare in advance.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.