Special Features

Spotlight on RSA

Another year, another North Korean malware-spreading, crypto-stealing gang named

Mandiant identifies 'moderately sophisticated' but 'prolific' APT43 as global menace

Google Cloud's recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.

"Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime," states a report on the gang released on Wednesday.

The report observes that APT43's activities have sometimes been attributed to actors known as "Thallium" or "Kimsuky" – such as the 2021 attack on South Korea's nuclear research agency.

That raid is typical of APT43's activities. It aligns with the gang's goal of strategic intelligence collection to keep North Korea informed of its foes' activities and capabilities.

APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang's favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It's also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed "a steady evolution and expansion of the operation's malware library over time."

As North Korea's needs change, so do APT43's activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.

Those shifts have seen the group attack different types of target. But Mandiant's analysts believe it has an overarching purpose of "enabling North Korea's weapons program, including: collecting information about international negotiations, sanctions policy, and other countries' foreign relations and domestic politics as these may affect North Korea's nuclear ambitions."

APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren't its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.

But the gangs don't operate in isolation. Mandian asserts "APT43 has shared infrastructure and tools with known North Korean operators, highlighting its role and mission alignment in a wider state-sponsored cyber apparatus."

Intriguingly, Mandiant thinks APT43 may also have a role in policing some of that apparatus.

"We have some indication that APT43 also carries out internal monitoring of other North Korean operations, including non-cyber activities," the report asserts. "APT43 has compromised individual espionage actors, including those within its own operations. However it is unclear if this is intentional for self-monitoring purposes or accidental and indicative of poor operational security."

"Mandiant assesses with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service," the report adds.

"We expect that APT43 will remain highly prolific in carrying out espionage campaigns and financially motivated activities supporting these interests," Mandiant's report concludes. "We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43's persistent and continuously developing operations reflect the country's sustained investment and reliance on groups like APT43." ®

Send us news

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members

Korean peninsula space race sees South and North launch tit for tat spy sats

North claims it took photos of stuff. South points to success of homegrown booster

CISA details twin attacks on federal servers via unpatched ColdFusion flaw

Tardy IT admins likely to get a chilly reception over the lack of updates

North Korea makes finding a gig even harder by attacking candidates and employers

That GitHub repo an interviewer wants you to work on could be malware

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked

That call center tech scammer could be a human trafficking victim

Interpol increasingly concerned as abject abuse of victims scales far beyond Asia origins

Belgian man charged with smuggling sanctioned military tech to Russia and China

Indictments allege plot to shift FPGAs, accelerometers, and spycams

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems