Warning of Spearphishing Activities by North Korean Hacking Groups

The National Security Authority warns of potential cyberattack threats in connection with the increase in the use of social engineering techniques by DPRK-sponsored hacking groups. The most prominent of these groups is Kimsuky (APT 43).

Their activities focus on spearphishing campaigns in which cyber actors impersonate journalists or academic scholars to collect information and documents on geopolitical events, foreign policy strategies and diplomatic efforts that could affect the DPRK regime, its nuclear program and so on.

Cyber actors target mainly employees of think tanks, research centres, academic institutions, media and media organisations, government institutions and diplomats in the U.S., South Korea and Europe.

Kimsuky actors, as well as other North Korean hacking groups, are part of North Korea’s espionage activities to gather intelligence information that could pose any political, military or economic threat to the security and stability of the DPRK regime.

Regarding the growing threat, on 1 June 2023, the U.S. and South Korean governments issued a joint warning against such activities, following a March 2023 warning against the Kimsuky group issued jointly by the German Federal Office for the Protection of Constitution (BfV) and the South Korea’s National Intelligence Service (NIS). The mentioned warnings indicate that the threat posed by the Kimsuky group is global and may affect both state and private sector entities.

The hacking activities of the Kimsuky group are characterized by the following features:

  • Attackers create email addresses that resemble email addresses of real media sites of journalists, such as an email using the domain “@XYZkoreas.news” while an actual domain is “@XYZnews.com”. Then, using these email addresses they send emails with malicious content.
  • They use themes such as a request for an interview, a survey of experts, a request for a document review, an offer payment for authoring a research paper, etc. to capture their victim’s attention.
  • To gain trust, they impersonate real people – before contacting their target, cyber actors compromise the email accounts of the person whom they are impersonating, and they misuse the contact list or past email exchanges.
  • The initial email may not yet contain malware, it is usually intended to gain the trust of the victim. Subsequently, over time, they send an email including malicious content.
  • They attempt to compromise the account, device or network belonging to their target by pushing malicious code in the form of a malicious macro embedded within a text document (e.g. Microsoft Word). This document is either attached directly to the email, or the email contains a link to a document stored in a file hosting service, such as Google Drive or Microsoft OneDrive. Malicious documents require the user to click “Enable Macros” to view the document.
  • They also develop fake but very realistic versions of actual websites or mobile apps that they use to trick potential victims to input either their login credentials or other information of interest (Compromising a target account can lead to persistent access to a victim’s communications. Kimsuky actors have also been known to configure a victim’s email account to quietly forward all emails to another actor-controlled email).
  • Regardless of language variations, cyber actors’ emails may contain misspellings or awkward sentence structure.
  • Cyber actors prepare their attacks thoroughly and continuously improve their methods, making them increasingly difficult to detect.

Based on these facts, the National Security Authority recommends observing the following measures to ordinary users of electronic communications:

  • Follow all cyber hygiene rules when communicating online:
    • do not open unverified messages and messages from unknown users,
    • do not open suspicious attachments (even in familiar formats such as .pdf/.docx, and so on),
    • disable macros on documents,
    • do not open suspicious URL links,
    • if you use email applications, disable the attachment preview function,
    • in case of suspicion, verify the content of the message with the sender in a different way (by phone, in person),
    • never respond to messages requesting any personal and sensitive data (login names, passwords, payment details).
  • Do not enable macros on documents received via email, unless you verify the source.
  • Do not open documents from cloud hosting services when shared via email, unless you are sure who sent them.
  • Closely scrutinize the identity of the sender of the message. Be especially cautious of:
    • official messages coming from unofficial or personal email accounts (for example, from freely available email services such as gmail),
    • domain/subdomain variations, as cyber actors can spoof a domain or email so that it is hardly distinguishable from the official domain (e.g. [email protected] vs. [email protected]).
  • If you were previously in communication with the individual, use the known legitimate contact information.
  • When in doubt, consult the organization’s official website for correct contact information.
  • Use navigating to websites via a search engine’s non-sponsored results instead of clicking on URL link in the email.
  • Be caution of a request to move communications in progress to a separate messaging platform.
  • If you suspect phishing and the identity of the email sender cannot be verified, suggest communications via phone or video call. Cyber actors often try to avoid voice/video communications.
  • If you suspect phishing and the identity of the email sender cannot be verified, do not reply, click on links or open attachments. It is always better to ignore an email than to be caught by a phishing email.
  • Use robust passwords or passphrases (a few words separated by a space) to access your accounts and services (whether they are work or private ones). Use unique, never-repeated passwords for each account or service. Such passwords cannot even be similar (same successive characters, changes in some characters, and so on).
  • Enable multi-factor authentication wherever possible. As a second factor, use a variety of authentication mechanisms such as one-time generated passwords, physical tokens, biometrics, and so on. Avoid SMS and email authentication, which could be exploited by an attacker.
  • Regularly update your devices (PCs, laptops, mobile phones, tablets, smart devices, etc.), and not only their operating systems, but also the software and applications you use on them. Enable automatic device updates. Do not wait for the updates and install them as soon as they are released by the manufacturer.
  • Use other security measures such as antivirus programs. Avoid software that is used for free and without reviews or user experience, and give preference to reputable manufacturers.

For system administrators, the National Security Authority recommends the following:

  • Provide regular training programs and exercises for users to prepare them on how to respond to social engineering techniques.
  • Set up systems to require multi-factor authentication (MFA) for all services that allow it (especially for email, VPN, accounts that access critical systems and for privileged accounts).
  • Monitor and evaluate activities in your network. Focus on non-standard communications, communications on non-standard ports, or attempts to connect through forbidden ports. Also, be aware of access to your network from external environment that is not standard practice (for example, through desktop sharing software or a VPN or VPS).
  • If you use RDP, VNC and similar remote access methods, never access them directly from the Internet, but place them behind a VPN concentrator. Limit the use of such services to a minimum. If the service allows it, require end-user confirmation of each connection when connecting to workstations. Use multi-factor authentication when logging in.
  • Monitor any remote access and VPN services closely (e.g. an email to the administrator each time a client connects and disconnects).
  • If you do not use remote access services, disable them.
  • Enforce account lockouts after a specified number of attempts to block brute force campaigns.
  • Restrict the Server Message Block (SMB) protocol to only access necessary servers and remove or disable outdated versions of SMB.
  • Review the level of security within your supply chain. Ensure that all connections between third-party vendors and your systems and services are monitored and under your control.
  • Integrate a central device management (so called MDM) and configure it to enable only certain applications to be installed on company devices and configuration of essential user functions only. Consider requiring administrator credentials to install software.
  • Update operating systems, software and firmware on devices and servers as soon as an update is released. Regularly check for software updates and end-of-life notifications, and prioritise patching critical vulnerabilities. Use a centralized patch management system to automate and expedite the process.
  • Install and regularly update antivirus and antimalware software on all devices.
  • Add an email banner to messages coming from outside your organization indicating that they are higher risk messages.
  • Enabling DMARC and DKIM on email domains generally makes certain forms of email spoofing more difficult, though it may not directly mitigate the tactics described above.




« Späť na zoznam