Critical Infrastructure Security, Threat Management

Meet APT43: The group that hacks, spies and steals for North Korea’s ruling elite

North Korean missiles

A newly classified espionage-minded APT group linked to North Korea’s General Reconnaissance Bureau has been targeting U.S. and Western governments, think tanks and academics with “prolific” and “aggressive” social engineering tactics, according to Mandiant.

While Pyongyang has many dedicated hacking groups, the newly minted APT43 (sometimes referred to as “Kimsuky”) is believed to be one of the most closely aligned with the personal and geopolitical objectives of dictator Kim Jong Un and his ruling elite.

The group’s main focus is collecting strategic intelligence for the Hermit Kingdom, particularly around foreign policy and issues related to its nuclear weapons program, though more recently operators shifted their attention to the health care vertical, likely in response to the COVID-19 pandemic.

Unlike many APTs, this group doesn’t tend to rely on zero days, unique malware or advanced intrusion techniques. Its modus operandi is social engineering, impersonating journalists, researchers and other personas to steer targets into divulging geopolitical insights or conversations from policymakers and governments deemed hostile to North Korean interests.

Their main tools for doing so are spear-phishing, credential harvesting, false personas, and the use of spoofed website domains that make them look like credible or legitimate information gatherers.

“What they lack in sophistication they make up for in volume,” Michael Barnhart, a principal analyst at Mandiant who focuses on North Korea, told SC Media in an interview. “We’ll see them go after 100 targets … they just need [one or two] to take the phishing bait, because at that point, they can then compromise one account to get into the contacts and then immediately rinse and repeat with entire brand new set of contact emails to get through.”

APT43 is known for asking detailed questions of its targets around North Korea’s weapons program to glean insights into the decision-making of policymakers in the U.S., South Korea, Japan and Western Europe. In some cases, the group was observed sending out fresh spearphish emails within hours or days of a North Korean missile launch or provocative statement from Kim Jong Un, presumably to gauge the reaction of geopolitical foes.

A screenshot of a sample spearphishing email from APT43 posing as a journalist inquiring about a North Korean missile launch in 2017. (Source: Mandiant)

Like many North Korean hacking groups, APT43 is expected to fund its own operations through theft and cybercrime. The outfit accomplishes this by stealing and laundering digital cryptocurrency wallets from their victims, while using hash rental and cloud-mining services to generate new currency. Those funds are then used to buy more infrastructure and tooling to support hacking operations.

“Generally, when it comes to this threat actor, they’re scrappy. They’re going to take it however they can get it,” said Joseph Dobson, a principal analyst at Mandiant who focuses on cryptocurrency theft. “So if they have malware on a victim’s machine … if you have a local wallet on your machine, the keys for that wallet will be stored in a file and a lot of times even today, those files are still unencrypted, and they can easily lift that file and now they have the keys to your wallet … and they can move [money] around as they like.”

While Mandiant has been tracking the group since 2018, the Google-owned threat intelligence outfit is now designating it as an official advanced persistent threat group.

Mandiant labels major, distinct clearly defined hacking groups as “APTs” for state-backed outfits and “FINs” for financially motivated cybercriminal gangs. But below that level, they also keep tabs on dozens of clusters of hacking activity — referred to as “UNCs” — where there are lower levels of confidence around attribution or overlap with other identified groups or campaigns.

When researchers gather enough telemetry and intelligence about a particular UNC and are confident they represent a new or distinct group of operators, they will sometimes “graduate” a cluster to a fully fledged APT or FIN group.

Barnhart said the decision to give the group APT status was partly influenced by Pyongyang’s growing nuclear and ballistic weapons program and a desire to “elevate” the profile and awareness of the state-backed hacking groups that support them. North Korea has undertaken nearly 40 ballistic and nuclear missile tests in 2022 and 2023 alone.

“We wanted to elevate them [because] in this growing time we have North Korea doing all these missile tests — every other day it seems like — and as they build out their weapons program we wanted to really highlight the APTs that focus on that as well,” said Barnhart.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.