The North Korean threat actor Kimsuky is leveraging new email spoofing tactics in its recent spearphishing campaigns, the Federal Bureau of Investigation (FBI), U.S. Department of State and National Security Agency (NSA) warned in a joint advisory Thursday.
Kimsuky, also known as Emerald Sleet or APT43, is a subunit of the North Korean military’s Reconnaissance General Bureau (RGB) and is known for its spearphishing campaigns aimed at gathering intelligence on matters affecting North Korean interests. This includes information on geopolitical events and the foreign policy strategies of North Korea’s adversaries.
The group’s modus operandi is to impersonate legitimate journalists, think tanks, academics and other experts in East Asian affairs, convincing victims to open malicious links or documents under the guise of offering an interview, speaking engagement or other opportunity.
The attackers then deploy malware giving further access to the victim’s network and accounts, allowing them to steal pertinent documents, communication records and additional credentials.
In recent campaigns, spanning from the end of 2023 to the beginning of 2024, Kimsuky has been leveraging weaknesses in DNS Domain-Based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof the email sender domains of the organizations they’re impersonating, lending extra legitimacy to their spearphishing efforts, the advisory states.
Kimsuky phishing emails reported to the FBI’s Internet Crime Complaint Center (IC3) were observed to have headers indicating the emails passed Sender Policy Framework (SPK) and DKIM (DomainKeys Identified Mail) checks but failed DMARC checks.
This indicates the attacker may have managed to send the email from the email client of a legitimate organization but manipulated the “From” field to show an email domain that misaligns with the actual email host. DMARC is meant to help organizations filter suspicious emails from manipulated “From” domains, but this requires organizations to set DMARC policies to quarantine or reject these emails.
Headers from the reported spearphishing emails show an authentication result of “dmarc=fail’ followed by “p=none,” meaning no action is taken despite the failure. This allowed the email to be passed along to the target’s inbox with no clear warning to the target about the spoofed “From” domain.
The advisory urges organizations to configure their DMARC policies to quarantine or reject emails with misaligned domains, such as those leveraged by Kimsuky for email spoofing. The warning also notes some red flags that an email may be related to Kimsuky’s campaign, including the attachment of documents that require the user to “enable macros” to view the document, and instructions to contact the sender at a different email address than that which appears in the “From” field.
"Since these campaigns are ongoing, law enforcement and those targeted can get ahead of Kimsuky by detecting preparation phases and profiling the attacker and the campaign. The key to this is the early detection of domains and IPs that Kimsuky intends to use," Malachi Walker, security advisor at DomainTools, told SC Media in an email. "By issuing this advisory, the FBI, the US Department of State, and the National Security Agency can give more notice to potential targets and help connect them with the advanced technology and information they need to detect and block this campaign."
Kimsuky has been shown to adapts its tactics using new tools and leveraging new vulnerabilities; the North Korean group was among one of the five state-sponsored threat actors discovered by Microsoft to be using ChatGPT for various tasks, the company revealed February.
The group also targeted the critical ConnectWise ScreenConnect flaw disclosed in late February with a new malware strain called ToddlerShark, attempting to exploit the flaw within days of its publication.
