The US Federal Bureau of Investigation (FBI) has issued a joint advisory warning of a new tactic being used by North Korean intelligence-gathering cyber group Kimsuky. The warning is squarely aimed at think tanks, academic institutions, non-profit organizations, and members of the media in Western countries. Despite North Korea’s previous reliance on revenue from international crime to finance its weapons and military programs, the FBI reports that Kimsuky’s role is intelligence gathering.
Kimsuky exploits an improperly configured Domain Name System (DNS) to mimic legitimate email senders and hack targeted individuals. Without properly configured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies, malicious hackers can send spoofed emails as if they came from a legitimate domain’s email exchange.
According to the FBI: “The North Korean cyber actors have conducted spear-phishing campaigns posing as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles.”
It is understood that North Korea leverages these highly targeted and personalized spear-phishing campaigns to collect intelligence from Western powers on geopolitical events, adversaries’ foreign policy strategies, and any information affecting North Korean interests. These campaigns begin with broad research and preparation, leveraging open-source information such as public-facing websites and social networks such as LinkedIn to identify potential value targets.
The next stage is to create tailored online personas designed to appear more realistic and appealing to their targets. The North Korean hackers also use content from emails of previously compromised email accounts to enhance the seeming authenticity of their spoofed emails. North Korea’s endgame is to gain illicit access to targets’ private documents, research, and communications.
The FBI believes that the North Korean regime’s cyber program is currently focused on gaining and maintaining consistent access to current intelligence about the United States, South Korea, and those European countries of interest to impede any perceived political, military, or economic threat to the communist regime’s security and stability.
The joint cybersecurity advisory issued by the FBI, the US Department of State, and the National Security Agency recommends that users in countries that may be of interest to the North Korean intelligence services immediately update their organization’s DMARC security.
