Beware! North Korean Hackers Spoofing Emails: US Warns

A joint statement by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the U.S. State Department warns of a new cyber threat emanating from North Korea. Experts have discovered that North Korean hackers are sending emails to various American organizations while masquerading as legitimate companies and individuals, thereby increasing the risk of unauthorized access to private documents and communications.

It is noted that the perpetrators exploit vulnerabilities in DMARC (Domain-based Message Authentication, Reporting, and Conformance) settings, allowing them to conceal attempts at social engineering during digital correspondence via email. This technique is actively used to gather intelligence, including information about geopolitical events and the foreign policies of adversaries.

The activity has been attributed to the North Korean group Kimsuky (also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima), which is associated by experts with the North Korean Reconnaissance General Bureau and considered a sister organization to the infamous Lazarus Group.

According to Proofpoint, Kimsuky began employing this method of attack in December of the previous year, targeting experts in foreign policy, nuclear disarmament, and sanctions enforcement. The hackers typically engage in prolonged correspondence with their targets, establishing trust and using various aliases that mimic experts from academic circles, journalism, and independent research.

It is noted that methods such as malware or credential harvesting were rarely used in this operation: the majority of valuable information was extracted through conventional, trust-based correspondence.

In one instance raised by U.S. authorities, a hacker posed as a legitimate journalist, requested an interview with an undisclosed expert on North Korea’s nuclear weapons, and suggested using a supposedly personal email address for the response, which turned out to be fraudulent.

To enhance protection, American organizations at risk have been advised to update their DMARC policies so that email servers would treat any suspicious messages as spam and additionally compile reports on such phishing incidents.