First talk, then hack: The North Korean hacker group TA427 tries to approach foreign policy experts in a rather unspectacular way to find out their position on sanctions. A lot of information is obtained with fake identities.
Proofpoint researchers observe numerous hacker groups that are sponsored or supported by government agencies. One of them is TA427, also known as Emerald Sleet, APT43, THALLIUM or Kimsuky. This is a group allied with the Democratic People's Republic of Korea (DPRK or North Korea) that supports the Reconnaissance General Bureau. It is particularly known for successful email phishing campaigns targeting experts to gain foreign policy intelligence.
North Korea wants to sound out experts
Since 2023, TA427 has pivoted to using non-intrusive emails to directly address foreign policy experts to start a conversation. In these emails, the attackers try to find out more about opinions on nuclear disarmament, US and Korean policy, and sanctions issues. In recent months, the group has changed its approach. In December 2023, it began exploiting lax Domain-based Message Authentication, Reporting and Conformance (DMARC) enforcement to spoof various identities. In February 2024, the group began using web beacons to create target profiles.
The Proofpoint experts have published their findings in an extensive study. They summarized the most important results of the study into points:
- TA427 regularly sends seemingly harmless emails to initiate a conversation with the aim of establishing a long-term exchange of information with the group's targets. The attackers are trying to learn more about topics that are of strategic importance to the North Korean regime.
- In addition to using specially created decoys, TA427 relies heavily on fake identities linked to think tanks and non-governmental organizations. This is intended to give the emails a legitimate appearance and increase the likelihood that the targets will contact the attackers.
- To impersonate its chosen individuals, TA427 uses a variety of tactics, including DMARC abuse coupled with free email inboxes, typosquatting, and spoofing of private email accounts.
- TA427 also used web beacons to initially locate its targets and learn basic information, such as whether an email account is active.
Only time will tell what the North Korean hackers plan to do with their fake identities and contacts.
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.