Mandiant Uncovers New North Korean APT Group
Mandiant has recently uncovered a new North Korean Advanced Persistent Threat (APT) group known as APT43. This group is utilizing crypto theft as a means to fund its primary objective of cyber-espionage in support of the Kim Jong-un regime. APT43 has previously been associated with aliases such as “Kimsuky” or “Thallium,” and is believed to be linked to the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service.
Notable Tactics and Targets
APT43 is recognized for its extensive spear-phishing campaigns, which are bolstered by aggressive social engineering techniques and the use of spoofed domains and email addresses. The group primarily focuses on gathering information related to foreign policy and nuclear security issues. However, in 2021, APT43 shifted its focus to target healthcare organizations, likely in response to the global pandemic. Its main targets include government entities in South Korea and the United States, as well as academic institutions and think tanks specializing in Korean geopolitical matters.
Sophisticated Social Engineering
One of APT43’s key tactics involves the creation of fake personas to facilitate social engineering efforts. These personas are used to establish cover identities for acquiring operational tools and infrastructure. Mandiant has observed instances where the group successfully tricked victims into divulging sensitive information without the need for deploying malware.
Michael Barnhart, a principal analyst at Mandiant, highlighted how APT43 has posed as journalists to gather intelligence of interest to the DPRK regime. These fake reporter personas have been particularly effective in eliciting responses from European organizations. Barnhart advises caution when engaging with unfamiliar individuals online and stresses the importance of verifying addresses and identities.
Self-Funded Operations
Unlike other cybercriminal groups that target cryptocurrency exchanges, APT43 focuses on individual victims to generate revenue for its state-sponsored activities. The group has employed various tactics, such as using a malicious Android app to target Chinese users seeking cryptocurrency loans and distributing phishing NFTs to crypto users across multiple blockchains.
Joe Dobson, a principal analyst at Mandiant, expressed concern over APT43’s rapid and successful execution of cyber attacks. He emphasized that the funds stolen by DPRK cyber-operators are channeled back to the regime to support its nuclear weapons development efforts.
Cryptocurrency Laundering
APT43 utilizes hash rental and cloud mining services to launder stolen cryptocurrency, converting it into untraceable funds. By depositing stolen crypto into these services, the group can mine for a different cryptocurrency and evade detection. This process allows DPRK-aligned APTs to clean their illicit funds and utilize them for various purposes.
Overall, Mandiant’s findings shed light on the sophisticated tactics employed by APT43 and underscore the ongoing threat posed by North Korean state-sponsored cyber operations.