The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), are jointly issuing this advisory to highlight the use of social engineering by the Democratic People’s Republic of Korea (DPRK a.k.a. North Korea) state-sponsored cyber actors to enable computer network exploitation (CNE) globally against individuals employed by research centers and think tanks, academic institutions, and news media organizations. These North Korean cyber actors are known to conduct spear phishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to private documents, research, and communications of their targets.
BACKGROUND
North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. The Governments of the United States and the Republic of Korea (ROK a.k.a. South Korea) have observed sustained information-gathering efforts originating from these North Korean cyber actors.NorthKorea’sprimarymilitaryintelligenceorganization,theReconnaissanceGeneralBureau (RGB), which has been sanctioned by the United Nations Security Council, is primarilyresponsibleforthisnetworkofactors and for activities.
We assess the primary goals of the DPRK regime’s cyber program including maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest toimpedeanypolitical, military, or economic threattotheregime’ssecurityandstability.
Currently, the U.S. and ROK Governments, and private sector cyber security companies, track a specific set of DPRKcyberactorsconductingthese large-scalesocialengineeringcampaignsas
Disclaimer: This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEARwhen information carries minimal or no foreseeable risk of misuse, by applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction.FormoreinformationontheTrafficLightProtocol, see HTTPS://www.cisa.gov/tlp.
Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to an element within North Korea’s RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012. Kimsuky actors’ primary mission is to provide stolendataandvaluable geopoliticalinsighttothe NorthKoreanregime.
Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive, or because they are not aware of how these efforts fuel the regime’s broader cyberespionage efforts. However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts. Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets. The authoring agencies believe that raising awareness of some of these campaigns and employing basic cyber security practices may frustrate the effectiveness of Kimsuky’s spearphishing operations. This advisory provides detailed information on how Kimsuky actors operate; red flags to consider as you encounter common themes and campaigns; and general mitigation measures for entities worldwide toimplementtobetterprotectagainstKimsuky’s CNE operations.
Ifyoubelieveyouhavebeentargetedinoneofthesespearphishingcampaigns,whetherornotit resulted in a compromise (particularly if you are a member of one of the targeted sectors), please file areportwithwww.ic3.govandreference #KimsukyCSAin the incident description.
Pleaseincludeasmuchdetailasyoucanabouttheincidentincludingthesenderemailaddressand the text of the email message, specifying any links/URLs/domains. Please specify whether you responded to the email, click on any links, or open any attachments. Pleaseretaintheoriginalemailandattachmentsincaseyouarecontactedbyaninvestigatorforfurtherinformation.
Please visit www.ic3.govanduse#KimsukyCSAinyoursubmission.
The U.S. Government also encourages victims to report suspicious activities, including any suspected DPRK cyber activities, to local FBI field offices.
For the ROK government, you can report suspicious activities to the National IntelligenceService(www.nis.go.kr,111), the theNationalPoliceAgency(ecrm.police.go.kr,182),ortheKoreaInternet& SecurityAgency(boho.or.kr,118)
KIMSUKYOPERATIONS:SOCIAL ENGINEERING
In a cybersecurity context, social engineering is a broad term referring to the use of deception to exploit human error and manipulate a target into unwittingly exposing confidential or sensitive information for fraudulent purposes. DPRK cyber actors employ social engineering techniques toenablemuchofPyongyang’smaliciousCNE.Among social engineering techniques, Kimsukyactorsuse spearphishing—or the use of fabricated emails and digital communications tailored to deceive a target—as one of their primary vectors for initiating a compromise and gaining access into a target’s-devices and networks. For over a decade, Kimsuky actors have continued to refine their socialengineeringtechniquesandmadetheirspearphishingeffortsincreasinglydifficulttodiscern.
A Kimsuky spearphishing campaign begins with broad research and preparation. DPRK cyber actors often use open-source information toidentifypotentialtargetsofvalue and then tailor their online personas to appear more realistic and appealing to their victims.
The Kimsuky actors will create email addressesthatresembleemailaddressesofrealindividuals they seek to impersonate and generatedomainsthathostthe
malicious content of a spearphishing message. DPRK actors often use domains that resemble common internet services and media sites to deceive a target.
For example, Kimsuky actors are known to impersonate well-known news outlets andjournalistsusingadomainsuchas“@XYZkoreas.news”spoofingarealnewsstationwhileactualemailsfromthenews service appear as “@XYZnews.com.”
DPRK cyber actors commonly take on the identities of real people to gain trust and establish rapport in their digital communications. Kimsuky actors may have previously compromised the email accounts of the person whom they are impersonating. This allows the actors to search for targets while scanning through compromised emails, with a particular focus on work-related files and personal information about retirees, and social clubs.
By: Zahid .H.Karani .
