A North Korean cyberespionage group, known as APT43, has been exposed by cybersecurity firm Mandiant. APT43, also referred to as Kimsuky or Thallium, primarily targets foreign policy and nuclear security issues, but switched to targeting health-related verticals in 2021 due to the COVID-19 pandemic. The group carries out cybercrime operations to fund itself and the regime.
APT43 is a cyberespionage group that supports the interests of the North Korean regime. The group has been tracked by Mandiant since 2018 and aligns with the mission of the Reconnaissance General Bureau, the main foreign intelligence service of North Korea. APT43 uses spear phishing and social engineering techniques to compromise its targets, often posing as convincing personas or spoofing key individuals' identities. The Archipelago subset of APT43 has been observed targeting government and military personnel, think tanks, policymakers, academics, and researchers in South Korea, the US, and elsewhere. Archipelago also uses browser-in-the-browser techniques and sends benign PDF files, among other tactics, to trick users into giving up their credentials.
In addition to spear-phishing, Archipelago has been known to use social engineering techniques such as posing as reporters or think-tank analysts to obtain expert knowledge from targets. They may establish trust with a victim for days or weeks before sending a malicious link or file. Archipelago also uses browser-in-the-browser techniques, benign PDF files, and ISO files to deliver malware.
One of APT43's particular interests is in cryptocurrencies, which they use to purchase infrastructure and hardware devices to sustain their operations. They use hash rental services and cloud mining services to mine cryptocurrency without any blockchain association to the buyer's original payments. APT43 has also used a malicious Android application to target Chinese users interested in cryptocurrency loans and harvest credentials.
To protect against APT43 and Archipelago, it's important to educate users about social engineering techniques, train users to detect phishing attempts and report them, use security solutions to detect phishing emails or malware infection attempts, keep operating systems and software up to date and patched, and carefully triage and examine people approaching experts who may be masquerading as journalists or reporters. In particular, geopolitics experts and international policymakers will have to be trained to detect an approach from an attacker masquerading as an innocent party. Before exchanging intelligence, a careful filtering of people approaching experts is mandatory in order to protect the integrity of sensitive data.
Other Posts you might be interested in:
Dutch cybersecurity firm ThreatFabric has detected a new variant of the Android Trojan Xenomorph, classified as Xenomorph.C. This new version introduces a number of new features, which allows attackers to automate fraudulent transactions without human interaction. Xenomorph's creators, Hadoken Group plan to target hundreds of banks across all continents.
Read More
Google Cloud has made its Assured Open Source Software platform free, which provides access to vetted open source software packages. The program includes over 1,000 Java and Python packages and features advanced security testing methods to ensure the packages are safe and reliable for developers to use.
Read More
IBM X-Force research led by Stephanie "Snow" Carruthers finds human-crafted phishing emails perform 3% better than AI-generated ones. The study, conducted in the healthcare sector, emphasizes the need for businesses to focus on human-centric email security
Read More