You might have been phished by the gang that stole North Korea’s lousy rocket tech
US, South Korea, warn 'Kimsuky' is a very sophisticated social engineer
The United States and the Republic of Korea have issued a joint cyber security advisory [PDF] about North Koreas "Kimsuky" cyber crime group.
The warning came after the Democratic People’s Republic of Korea (DPRK aka North Korea) earlier this week tried and failed to launch a surveillance satellite. In their joint advisory, US and South Korean authorities said Kimsuky targets "think tanks, academic institutions, and news outlets … for the purpose of intelligence gathering." The South says the gang is also involved in stealing info used by the DPRK's satellite program.
The South"s Ministry of Foreign Affairs linked the gang – and its penchant for information on matters pertaining to the military and aerospace – to this week's failed satellite launch.
Whatever its target, Kimsuky's preferred tactic to gain access to its targets is social engineering – especially spear phishing.
One tell-tale sign of a Kimsuky mail is claiming to be from a reputable media outlet or academic institution, but using a URL that does not precisely match that organization's website. Recipients are often buttered up with remarks about the excellence of their credentials or insights, and asked if they are willing to complete a questionnaire in return for a payment.
The document containing the questionnaire is clean, but the follow-up document that asks for bank account details often contains malicious macros that "quietly establish connections with Kimsuky command and control infrastructure, and result in the provision of access to the target's device."
Infection with other forms of malware can follow.
- North Korean spy satellite launch ends in sea smash
- US bans North Korean outsourcer and its feisty freelancers
- DoJ, Treasury accuses 3 men of laundering crypto for North Korea
- China has 50 hackers for every FBI cyber agent, says Bureau boss
Another Kimsuky tactic is creating "fake but realistic versions of actual websites, portals, or mobile applications" to have victims log on using their credentials for the real version of the site. Those creds are of course harvested by the crime gang and used to access the real site and harvest information of interest.
The joint advisory recommends paying attention to the descriptions of Kimsuky activity as outlined above, and in more depth in the document.
It also suggests the following two practices as possible mitigations:
- Do not enable macros on documents received via email, unless the source is verified;
- Do not open documents from cloud hosting services when shared via email, unless the source is verified.
Those activities will, in many orgs, require quite a lot of education!
But if it helps to blunt the DPRK's attacks, that effort is worth it.
The South has decided one way to blunt its nasty neighbor is with sanctions imposed directly on Kimsuky – it has named a pair of crypto wallets that are now off limits under local law. ®