Researchers warn of a social engineering campaign by the North Korean APT group known as Kimsuky that attempts to steal email credentials and plant malware.
The campaign, focused on experts in North Korean affairs, is part of this group's larger intelligence gathering operations that target research centers, think tanks, academic institutions, and news outlets globally.
"Kimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the interests of the North Korean government, is known for its global targeting of organisations and individuals," researchers from security firm SentinelOne said in a report. "Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information."
Impersonating a trusted source of North Korean news and policy analysis
In the campaign that SentinelOne analysed and which serves as an example of the depth of Kimsuky's social engineering, the group impersonated the founder of NK News, an American subscription-based news website focused on North Korean affairs. This is part of the Kimsuky's increasingly common approach of establishing a rapport with its targets before delivering a malicious payload.
In this case, the rogue email was sent to victims from a domain name that closely resembles that of NK News and asked them to review a draft article about the nuclear threat posed by North Korea. If the victims responded and replied to the message, the attackers followed up with an URL to a document hosted on Google Docs that then redirected them to a page designed to capture Google credentials.
"The URL’s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky," the researchers said. "This method, commonly employed in phishing attacks, creates a discrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website visited upon clicking the URL."
In fact, the displayed URL does indeed lead to an article on Google Docs with the topic North Korean nuclear threat that includes edits and comments to make it look like it is indeed a work in progress. This highlights that the attackers took the time to make their attack as believable as possible. In fact, the phishing page that users land on when clicking on the URL mimics the page that Google Docs normally shows when someone needs to request access to a document.
For certain targets who engage in conversation with the attackers, the group decides to send weaponised password-protected Word documents that deploy a reconnaissance malware payload called ReconShark. This program probes systems for the presence of known security software and collects information about the target's computer that can be used to plan a future attack.
In a separate campaign, the group also sent out fake emails with the goal of stealing login credentials for PRO subscriptions to the NK News website itself. The rogue emails instruct users to review their accounts for security reasons following misuse by supposed attackers. Users are then taken to a phishing site that mimics the real NK News login page.
"Gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives," the SentinelOne researchers said.
A larger focus on policy analysts
This latest campaign overlaps with North Korean social engineering activity documented in a joint threat advisory released last week by the US and South Korean governments. In the advisory, Kimsuky activity is attributed to the Reconnaissance General Bureau (RGB), North Korea's intelligence agency, which is believed to operate multiple such cyberattack teams.
Kimsuky seems particularly focused on stealing data and gathering valuable geopolitical insight for the North Korean government. "Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts," the report's authors note. "However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts. Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets."
It's worth noting that APT groups associated with the Iranian government use similar tactics of targeting academic researchers, policy analysts, and think tanks using impersonation and well-crafted emails.