North Korean threat group Kimsuky has recently launched a social engineering campaign against a number of experts specializing in North Korean affairs in order to steal their Google account credentials and gather intelligence.
According to Tuesday SentinelLabs research, the APT specifically targeted readers of NK News, a leading subscription service that provides news and analysis about North Korean affairs. Kimsuky used a number of social engineering tactics in email correspondence - including spoofed URLs and websites that imitated legitimate platforms - in order to both impersonate NK News and steal various credentials that are both reused in future campaigns and leveraged to log in to the NK News subscription service.
“By actively targeting high-profile experts in North Korean affairs and stealing subscription credentials from prominent news and analysis outlets focussing on North Korea, Kimsuky demonstrates a heightened curiosity in understanding how the international community perceives developments concerning North Korea, such as the country’s military activities,” said Aleksandar Milenkoski, senior threat researcher at SentinelLabs. “These actions are probably part of their broader objective to gather strategic intelligence, contributing to North Korea’s decision-making processes.”
The group’s campaign reflect how it builds trust with targets before initiating attacks. For instance, Kimsuky impersonated Chad O’Carroll, the founder of NK News, in emails that requested that recipients review a draft article that analyzed the nuclear threat posed by North Korea. These emails used attacker-created domains (nknews[.]pro) that mimicked the legitimate NK News domain (nknews.org).
The targets would then be redirected from the spoofed URL to a malicious website that aims to capture their Google account credentials. In some cases the threat group would also deploy Office documents weaponized with ReconShark, reconnaissance malware that has previously been identified as a central piece to Kimsuky's operational playbook.
“Successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets.”
Other attacks focused on stealing subscription credentials that would allow attackers to access NK News itself, giving Kimsuky actors strategic insight into how North Korean developments are viewed by the international community. Here, threat actors sent targeted individuals emails that prompted them to log into a spoofed NK News subscription service via a fake, attacker-controlled login site.
SentinelLab researchers said their findings show the social engineering tactics used by Kimsuky for gathering strategic intelligence. The group, which has been around since at least 2012, is likely tasked by the North Korean regime with global intelligence gathering campaigns and has stolen information related to weapon and satellite development. Kimsuky has previously operated through social engineering, spearphishing and watering hole attacks to target victims in South Korea, Japan and the U.S., according to CISA.
Last week, the threat group was sanctioned by South Korea’s Ministry of Foreign Affairs, which disclosed two cryptocurrency addresses for identifying the organization.
Several U.S. agencies, including the FBI And NSA, also issued a joint advisory last week broadly highlighting Kimsuky’s social engineering capabilities in attacks that targeted think tanks, academic institutions and news media organizations. In addition to URL spoofing and impersonating real people for gaining trust, Kimsuky is known to use multiple personas for engaging a target via email in hopes of making the attack appear more legitimate, according to the joint advisory, a tactic that has increasingly been used over the past year by attackers like Iranian threat actor TA453.
“Successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets,” according to the joint advisory. “The authoring agencies believe that raising awareness of some of these campaigns and employing basic cyber security practices may frustrate the effectiveness of Kimsuky spearphishing operations.”