New Delhi, NFAPost: Mandiant has categorised a North Korean threat actor to an Advanced Persistent Threat Group – APT43 and made it clear that this prolific cyber operator has been observed carrying out unusually aggressive social engineering campaigns (often disguised as reporters) to support espionage activities, as well as financially-motivated attacks to fund its own operations.
Cybersecurity firm Mandiant states that the group operates with high-tempo and primarily focuses on espionage, but the company’s researchers note the volume of crypto activity signals an increased focus on securing crypto funds.
Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.
Tracked since 2018, APT43 collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service. The group’s focus on foreign policy
and nuclear security issues supports North Korea’s strategic and nuclear ambitions. However, the group’s focus on health-related verticals throughout the majority of 2021, likely in support of
pandemic response efforts, highlights its responsiveness to shifting priorities from Pyongyang.
Furthermore, Mandiant believes APT43 has been stealing cryptocurrency from private users and laundering it by paying cloud mining services to mine for different cryptocurrency; making it more difficult for the new crypto to be traced back to APT43.
With North Korea increasing its nuclear activity, Mandiant’s researchers note that tracking this group is more important now than ever, as it gives the world greater insights into the DPRK.
According to the Mendiant report what this threat actor is doing to launder stolen crypto by using hash rental and cloud mining services is novel.
“The techniques they’re leveraging are unique and it’s likely that other threat groups – including those outside of North Korea – will learn from this and adopt it as well. The questions APT43 is asking its targets when they pretend to be reporters or subject matter experts is important,” states Mendiant in its report.
APT43 shows their cards in the questions they email victims when pretending to be reporters, such as “North Korea just launched a missile – does Japan plan to increase its defense budget as a result?” APT43 is having great success without any need to get too sophisticated. The volume and social engineering expertise that these guys have is very impressive
The report also states that APT43 is having immense success by playing the numbers game in targeting private crypto users rather than going after large targets. By doing this, they are staying under the radar of national law enforcement
Campaigns attributed to APT43 are closely aligned with state interests and correlate strongly with geopolitical developments that affect Kim Jong-un and the hermit state’s ruling elite. Since Mandiant has been tracking APT43, they have consistently conducted espionage activity against South Korean and US organisations with a stake in security issues affecting the Korean peninsula.
APT43 most commonly leverages tailored spear-phishing emails to gain access to victim information. However the group also engages in various other activities to support collecting strategic intelligence, including using spoofed websites for credential harvesting and carrying out cybercrime to fund itself.