Another year, another North Korean malware-spreading, crypto-stealing gang named
Mandiant identifies 'moderately sophisticated' but 'prolific' APT43 as global menace
Google Cloud's recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.
"Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime," states a report on the gang released on Wednesday.
The report observes that APT43's activities have sometimes been attributed to actors known as "Thallium" or "Kimsuky" – such as the 2021 attack on South Korea's nuclear research agency.
That raid is typical of APT43's activities. It aligns with the gang's goal of strategic intelligence collection to keep North Korea informed of its foes' activities and capabilities.
APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang's favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It's also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed "a steady evolution and expansion of the operation's malware library over time."
As North Korea's needs change, so do APT43's activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.
Those shifts have seen the group attack different types of target. But Mandiant's analysts believe it has an overarching purpose of "enabling North Korea's weapons program, including: collecting information about international negotiations, sanctions policy, and other countries' foreign relations and domestic politics as these may affect North Korea's nuclear ambitions."
APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren't its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.
- Russian developers blocked from contributing to FOSS tools
- Norway finds a way to recover crypto North Korea pinched in Axie heist
- FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist
- Crypto exchanges freeze accounts tied to North Korea’s notorious Lazarus Group
But the gangs don't operate in isolation. Mandian asserts "APT43 has shared infrastructure and tools with known North Korean operators, highlighting its role and mission alignment in a wider state-sponsored cyber apparatus."
Intriguingly, Mandiant thinks APT43 may also have a role in policing some of that apparatus.
"We have some indication that APT43 also carries out internal monitoring of other North Korean operations, including non-cyber activities," the report asserts. "APT43 has compromised individual espionage actors, including those within its own operations. However it is unclear if this is intentional for self-monitoring purposes or accidental and indicative of poor operational security."
"Mandiant assesses with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service," the report adds.
"We expect that APT43 will remain highly prolific in carrying out espionage campaigns and financially motivated activities supporting these interests," Mandiant's report concludes. "We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43's persistent and continuously developing operations reflect the country's sustained investment and reliance on groups like APT43." ®