Tuesday, October 15, 2024
HomeCyber AttackNorth Korean Hackers Mimic Journalists To Steal Credentials From Organizations

North Korean Hackers Mimic Journalists To Steal Credentials From Organizations

Published on

Malware protection

The North Korean APT group Kimsuky has been running a social engineering operation that targets experts in North Korean affairs from the non-government sector, according to SentinelLabs.

For spear-phishing attempts to gather intelligence from think tanks, research centers, academic institutions, and various media organizations, the North Korean hacking group Kimsuky (also known as APT43) has been posing as a journalist and academic.

“The campaign focuses on the theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials,” SentinelLabs.

- Advertisement - SIEM as a Service

Activities Of the North Korean Hacker Group Kimsuky

Kimsuky’s most recent social engineering attempt was directed at NK News subscribers, an American subscription-based website that offers news and commentary about North Korea.

Kimsuky’s activities seem to be in line with those of the North Korean government.

The gang has been in operation since at least 2012, and it frequently uses targeted phishing and social engineering techniques to acquire sensitive data and gather intelligence.

 Kimsuky, also known as Thallium and Velvet Chollima, has conducted extensive espionage efforts to support national intelligence objectives.

The ReconShark malware, which is capable of leaking information, including what detection systems are in use on a device and information about the device itself, was further offered in some cases by the Kimsuky hackers in weaponized Microsoft Office documents.

In a different attack that SentinelLabs observed, Kimsuky sent out emails asking recipients to sign on to a fake NK News subscription service. 

The North Korean hackers would benefit from having access to users’ NK News login information because they would gain “valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives,” SentinelLabs.

Additionally, Kimsuky was seen delivering malware-free Word documents and legitimate Google Docs links to their targets in an attempt to establish a connection with them before beginning their harmful actions.

Posing As Journalists and Writers

Hackers from Kimsuky carefully organize and carry out their spear-phishing assaults by employing email accounts that closely resemble those of actual people and by creating convincing, realistic content for the target’s communication.

The hackers frequently pose as journalists and writers to enquire about the latest political developments on the Korean peninsula, the North Korean weapons program, US talks, China’s position, and other topics.

Themes that have been seen include queries, interview requests, a running survey, and demands for reports or document reviews.

As the early emails’ goal is to win the target’s trust rather than quickly corrupt them, they frequently contain no malware and no attachments.

Hackers posing as Journalists and Writers (Source: U.S. Government)

If the target does not reply to these emails, Kimsuky follows up after a few days with another message. 

The phishing message can use a distinctive North Korean dialect if the target is South Korean. 

Additionally, the email addresses used to send phishing scams are spoofs of real people or companies, but they are always slightly misspelled.

Thus, it is crucial to maintain attention and put strong security measures in place to reduce this persistent threat actor’s threats.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...