Two campaigns involving two different advanced persistent threat (APT) groups tied to North Korea were disclosed June 6 — one financially motivated, while the other was a social engineering campaign focused on gathering strategic intelligence.
In a blog post, the Inskit Group reported discovering malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam and the United States. The group, threat activity group 71 (TAG-71), closely overlaps with public reporting on the North Korean state-sponsored APT38, also known as Bluenoroff, Stardust Chollima, and BeagleBoyz.
The Insikt researchers said the North Korea-linked APT groups have a history of orchestrating financially motivated campaigns targeting cryptocurrency exchanges, commercial banks, and e-commerce payment systems globally. They said these patterns, including those exhibited in the most recent TAG-71 campaign, very likely supports the North Korean government’s continued efforts to generate funds for the regime, which remains under significant international sanctions.
Kimsuky group targets experts with social engineering campaign
SentinelLabs reported in a June 6 blog that the social engineering campaign they tracked was tied to the North Korean APT group Kimsuky, which was targeting experts in North Korean affairs and was part of a broader campaign discussed in a June 1 advisory by the National Security Agency.
The SentinelLabs researchers said the Kimsuky campaign aims to steal Google and subscription credentenials of a reputable news and analysis service focused on North Korea, as well as delivering reconnaissance malware. The researchers said Kimsuky engages in extensive email correspondence and uses spoofed URLs, websites imitating legitimate web platforms, and Office documents weaponized with the ReconShark malware — activity that indicated Kimsuky’s dedication to using social engineering for gathering strategic intelligence.
Whether it’s a spoofing attack or social engineering, the impacts of these cyberthreats, including leaked credentials, exposure of sensitive information and financial losses are often devastating for any organization, said Teresa Rothaar, governance, risk, and compliance analyst at Keeper Security.
Rothaar said these campaigns are particularly dangerous when coming from a well-resourced nation-state. Unlike a small, lone-wolf threat actor, Rothaar said a nation-state has the funding and manpower to create believable spoofs or social engineering campaigns without many common “tells,” such as poor spelling and grammar, that indicate an email or website may be illegitimate.
“While a well-funded threat actor poses a particularly serious threat to any organization, the means to prevent these attacks remain the same,” said Rothaar. “The use of a password manager will prevent credentials from being harvested from a phony website because the software won’t automatically fill the user’s information if it doesn’t match the legitimate URL stored in the user’s vault. Although social engineering attacks have become increasingly convincing, especially with the growing influence of AI, basic cyber hygiene measures, including the use of strong and unique passwords for every account, coupled with rigorous employee training, will help lessen the impact of such attacks.”
Menachem Shafran, vice president of product at XM Cyber, added that we see many attacks by North Korea focused on financial gain. Shafran said this includes ransomware or even many crypto-jacking attacks.
“North Korea uses cyber as a means to help the country survive the sanctions which have been placed on them,” Shafran pointed out.