Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
8.6.23 APT The Hacker News
The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware.
"Further, Kimsuky's objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The Hacker News.
"To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials."
NK News, established in 2011, is an American subscription-based news website that provides stories and analysis about North Korea.
The disclosure comes days after U.S. and South Korean intelligence agencies issued an alert warning of Kimsuky's use of social engineering tactics to strike think tanks, academia, and news media sectors. Last week, the threat group was sanctioned by South Korea's Ministry of Foreign Affairs.
Active since at least 2012, Kimsuky is known for its spear-phishing tactics and its attempts to establish trust and rapport with intended targets prior to delivering malware, a reconnaissance tool called ReconShark.
The ultimate goal of the campaigns is to gather strategic intelligence, geopolitical insights, and access sensitive information that are of value to North Korea.
"Their approach highlights the group's commitment to creating a sense of rapport with the individuals they target, potentially increasing the success rate of their subsequent malicious activities," security researcher Aleksandar Milenkoski said.
The findings also follow new revelations from the South Korean government that more than 130 North Korean watchers have been singled out as part of a phishing campaign orchestrated by the government-backed hacking group.
What's more, with North Korea earning a significant chunk of its foreign-currency income from cyber attacks and cryptocurrency heists, threat actors operating on behalf of the regime's interests have been observed spoofing financial institutions and venture capital firms in Japan, the U.S., and Vietnam.
Cybersecurity company Recorded Future connected the activity to a group tracked as TAG-71, a subgroup of Lazarus which is also known as APT38, BlueNoroff, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.
The adversarial collective has an established track record of mounting financially motivated intrusion campaigns targeting cryptocurrency exchanges, commercial banks, and e-commerce payment systems across the world to illegally extract funds for the sanctions-hit country.
"The compromise of financial and investment firms and their customers may expose sensitive or confidential information, which may result in legal or regulatory action, jeopardize pending business negotiations or agreements, or expose information damaging to a company's strategic investment portfolio," the company noted.
The chain of evidence so far suggests that Lazarus Group's motives are both espionage and financially driven, what with the threat actor blamed for the recent Atomic Wallet hack that led to the theft of crypto assets worth $35 million, making it the latest in a long list of crypto companies to be stung by hacks over the past few years.
"The laundering of the stolen crypto assets follows a series of steps that exactly match those employed to launder the proceeds of past hacks perpetrated by Lazarus Group," the blockchain analytics company said.
"The stolen assets are being laundered using specific services, including the Sinbad mixer, which have also been used to launder the proceeds of past hacks perpetrated by the Lazarus Group."