Security researchers have warned that North Korean government-backed hackers are impersonating journalists to gather strategic intelligence to help guide the country’s decision making.
SentinelLabs researchers said on Tuesday that they had linked a social engineering campaign targeting experts in North Korean affairs to a North Korean advanced persistent threat (APT) group known as Kimsuky. The group, also known as APT43, Thallium and Black Banshee, has been operating since at least 2012 and is known for using social engineering and targeted phishing emails and to gather sensitive information on behalf of the North Korean regime.
Kimsuky’s latest social engineering campaign targeted subscribers of NK News, an American subscription-based website that provides stories and analysis about North Korea.
SentinelLabs observed Kimsuky impersonating Chad O’Carroll, the founder of NK News, to deliver a spoofed Google Docs web link to NK News subscribers, which redirected to a malicious website specifically crafted to capture a victim’s Google credentials. In some cases, the Kimsuky hackers also delivered a weaponized Microsoft Office document that executes the ReconShark malware, which is capable of exfiltrating information like what detection mechanisms are in use on a device and information about the device itself.
In another attack observed by SentinelLabs, Kimsuky distributed an email that asked subscribers to log in to a spoofed NK News subscription service. Gaining access to users’ NK News credentials would provide the North Korean hackers with “valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives,” wrote Aleksandar Milenkoski, a senior threat researcher at SentinelLabs.
Kimsuky was also observed sending legitimate Google Docs links and Word documents that were free of malware in order to develop a rapport with their targets before initiating their malicious activities.
SentinelLabs’ analysis comes days after the U.S. and South Korean governments issued an advisory warning that Kimsuky had been carrying out targeted spearphishing attacks to funnel valuable geopolitical insights and other stolen data to the North Korean regime.
The joint advisory warned that the Kimsuky group was impersonating journalists, academics, think tank researchers and government officials to target individuals working on North Korean affairs.
“These cyber actors are strategically impersonating legitimate sources to collect intelligence on geopolitical events, foreign policy strategies, and security developments of interest to [North Korea] on the Korean Peninsula,” NSA cybersecurity director Rob Joyce said. “Education and awareness are the first line of defense against these social engineering attacks.”
At the time, South Korea’s Ministry of Foreign Affairs (MOFA) also imposed sanctions on the North Korean hacking group and identified two cryptocurrency addresses used by Kimsuky. The government also accused the group of being involved in a failed spy satellite launch last week.