Kimsuky APT poses as journalists and broadcast writers in its attacks

Pierluigi Paganini June 03, 2023

North Korea-linked APT group Kimsuky is posing as journalists to gather intelligence, a joint advisory from NSA and FBI warns.

A joint advisory from the FBI, the U.S. Department of State, the National Security Agency (NSA), South Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and the Ministry of Foreign Affairs (MOFA), warns that North-Korea-linked Kimsuky APT group has been impersonating journalists and academics in a spear-phishing campaign aimed at individuals employed by research centers and think tanks, academic institutions, and news media organizations.

Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.

The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In the latest Kimsuky campaign, the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

“Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts. However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts.” reads the joint advisory. “Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets.” 

The APT group has persistently refined its social engineering tactics, making its spear-phishing campaigns progressively harder to detect.

Kimsuky spear-phishing campaigns are often prepared with a detailed information-gathering activity aimed at identifying potential targets, then threat actors create a tailored network of online personas to appear more realistic and appealing to their victims.

Threat actors often impersonate real journalists and broadcast writers to appear as a credible front and make inquiries to prominent about political events in the Korean peninsula.

“Usually, the questions will revolve around current events and whether U.S. experts believe North Korea will re-join talks with the U.S., whether they believe North Korea will resume testing its missiles, and how they see China responding.” continues the advisory. “In many instances, Kimsuky actors do not attach malware to their initial email. Instead, they first send an introductory email to inquire about interview opportunities.”

The state-sponsored hackers initially send the request for the interview to the victims, the initial messages don’t contain malicious attachments or links. Once the attackers gained the victim’s trust the attackers send the questionnaire to the victim.

If the target does not respond to the spear-phishing emails, the threat actors send a follow-up message a few days later.

Kimsuky
Kimsuky

In some attacks, the state-sponsored hackers impersonated South Korean academic scholars asking to researchers at think tanks to participate in a survey, such as on North Korean nuclear issues and denuclearization on the Korean Peninsula or requesting an email interview.

In additional instances, Kimsuky operatives assume the identities of respected researchers affiliated with South Korean think tanks, then send spear-phishing emails to political figures and North Korean experts.

Kimsuky actors were also observed impersonating officials handling North Korean policies within governmental entities like the South Korean National Assembly or the presidential office.

Additionally, the APT group also impersonates operators or administrators of popular web portals claiming that a victim’s account has been locked following suspicious activity or fraudulent use.

The advisory includes potential mitigation measures for email recipients and recipients’ systems administrators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)



you might also like

leave a comment