A North Korean cyberespionage group, known as APT43, has been exposed by cybersecurity firm Mandiant. APT43, also referred to as Kimsuky or Thallium, primarily targets foreign policy and nuclear security issues, but switched to targeting health-related verticals in 2021 due to the COVID-19 pandemic. The group carries out cybercrime operations to fund itself and the regime.
APT43 is a cyberespionage group that supports the interests of the North Korean regime. The group has been tracked by Mandiant since 2018 and aligns with the mission of the Reconnaissance General Bureau, the main foreign intelligence service of North Korea. APT43 uses spear phishing and social engineering techniques to compromise its targets, often posing as convincing personas or spoofing key individuals' identities. The Archipelago subset of APT43 has been observed targeting government and military personnel, think tanks, policymakers, academics, and researchers in South Korea, the US, and elsewhere. Archipelago also uses browser-in-the-browser techniques and sends benign PDF files, among other tactics, to trick users into giving up their credentials.
In addition to spear-phishing, Archipelago has been known to use social engineering techniques such as posing as reporters or think-tank analysts to obtain expert knowledge from targets. They may establish trust with a victim for days or weeks before sending a malicious link or file. Archipelago also uses browser-in-the-browser techniques, benign PDF files, and ISO files to deliver malware.
One of APT43's particular interests is in cryptocurrencies, which they use to purchase infrastructure and hardware devices to sustain their operations. They use hash rental services and cloud mining services to mine cryptocurrency without any blockchain association to the buyer's original payments. APT43 has also used a malicious Android application to target Chinese users interested in cryptocurrency loans and harvest credentials.
To protect against APT43 and Archipelago, it's important to educate users about social engineering techniques, train users to detect phishing attempts and report them, use security solutions to detect phishing emails or malware infection attempts, keep operating systems and software up to date and patched, and carefully triage and examine people approaching experts who may be masquerading as journalists or reporters. In particular, geopolitics experts and international policymakers will have to be trained to detect an approach from an attacker masquerading as an innocent party. Before exchanging intelligence, a careful filtering of people approaching experts is mandatory in order to protect the integrity of sensitive data.
Other Posts you might be interested in:
Amidst economic uncertainties and budget constraints, SMEs struggle with complex tech stacks, compliance obligations, and a severe skills shortage, prompting the consideration of Security Operations Centers (SOCs) and Managed Service Providers (MSPs) as crucial solutions to enhance their cybersecurity defenses."
Read More
Dutch cybersecurity firm ThreatFabric has detected a new variant of the Android Trojan Xenomorph, classified as Xenomorph.C. This new version introduces a number of new features, which allows attackers to automate fraudulent transactions without human interaction. Xenomorph's creators, Hadoken Group plan to target hundreds of banks across all continents.
Read More
New Studies from BitDefender and Arctic Wolf show that cybergroups are employing new tactics that exploit popular social channels such as Facebook and Youtube. The exploit uses DLLs, shared code libraries used by every operating system to hide malicious code by in the form of a legitimate DLL.
Read More