NSA and FBI warn of N. Korean hackers spoofing emails from trusted sources

May 3, 2024NewsroomEmail security/malware

Email spoofing

The US government on Thursday issued a new cybersecurity alert addressing North Korean threat actors’ attempts to send emails in a way that makes them appear to come from legitimate and trusted parties.

The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the Department of State.

“The DPRK (Democratic People’s Republic of Korea) uses these spear-phishing campaigns to gather intelligence on geopolitical events, hostile foreign policy strategies and any information detrimental to the interests of the DPRK by obtaining illegal access to private documents, research and communications of the targets,” the NSA said.

The technique specifically involves exploiting misconfigured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to conceal social engineering attempts. By doing this, the threat actors can send spoofed emails as if they came from a legitimate domain’s email server.

Cybersecurity

The abuse of weak DMARC policies has been attributed to a North Korean activity cluster tracked by the cybersecurity community under the name Kimsuky (also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427 and Velvet Chollima), a sister collective of the Lazarus Group and is affiliated with the Reconnaissance General Bureau (RGB).

Proofpoint said in a report published last month that Kimsuky began integrating this method in December 2023 as part of broader efforts to reach out to foreign policy experts for their opinions on topics related to nuclear disarmament, the policy between the U.S. and South Korea and sanctions.

Email spoofing

Describing the adversary as a “clever social engineering expert,” the corporate security firm said the hacking group is known to engage its targets over extended periods of time through a series of good-natured conversations to build trust with targets, using various aliases that allow the subject of the DPRK. experts in think tanks, academia, journalism and independent research.

“Targets are often asked to share their thoughts on these topics via email or a formal research paper or article,” said Proofpoint researchers Greg Lesnewich and Crista Giering.

“Malware or credential collection is never sent directly to targets without an exchange of multiple messages, and (…) rarely used by the threat actor. It is possible that TA427 can meet its intelligence requirements by directly asking targets for their views questions or analysis rather than an infection.”

The company also noted that many of the entities TA427 spoofed did not enable or enforce DMARC policies, which allowed such emails to bypass security checks and guarantee delivery even if those checks fail.

Additionally, Kimsuky has been observed using “free email addresses that fool the same persona in the reply field to convince the target that they are contacting legitimate personnel.”

Cybersecurity

In an email highlighted by the US government, the threat actor posed as a legitimate journalist seeking an interview with an unnamed expert to discuss North Korea’s nuclear armament plans, but noticed openly announced that their email account would be temporarily blocked and urged the recipient to respond. them to their personal email, a fake account that impersonated the journalist.

This indicates that the phishing message was originally sent from the journalist’s compromised account, increasing the likelihood that the victim would respond to the alternative fake account.

It is recommended that organizations update their DMARC policies to instruct their email servers to treat as suspicious or spam (i.e., quarantine or reject) emails that fail checks and to receive aggregated feedback reports by setting an email address in the DMARC record.

Did you find this article interesting? follow us on Tweet and LinkedIn to read more exclusive content we post.