The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the U.S. Department of State have issued a joint cybersecurity advisory warning of a state-sponsored email hacking campaign conducted by Advanced Persistent Threat group 43 (APT43), also known as Kimsuky. This North Korean military intelligence-backed group has been using email authentication bypass techniques to impersonate journalists, researchers, and academics in coordinated spear-phishing campaigns. The primary goal is to steal valuable geopolitical information from policy analysts and experts to support the North Korean regime.

APT43/Kimsuky: A Profile of the Adversary

APT43, managed by North Korea’s military intelligence 63rd Research Center, has been active since 2012. The group’s primary mission is to compromise expert targets such as policy analysts, providing the regime with intelligence about the United States, South Korea, and other nations of interest. Their strategy is to undermine perceived political, military, or economic threats to North Korea’s stability.

While their primary targets are high-value individuals, the group’s email spoofing techniques can affect all email users. Even basic phishing campaigns help the attackers refine their techniques, which increases the risk of future attacks.

The Threat: Exploiting Misconfigured DMARC Policies

One of the primary tactics used by APT43/Kimsuky is exploiting poorly implemented or non-existent Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies. DMARC ensures that emails come from legitimate sources by verifying them against Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records. However, when DMARC policies are not properly configured or marked as “none,” it allows attackers to spoof email domains.

How Kimsuky Attacks Work

Reconnaissance: Kimsuky campaigns often begin with broad reconnaissance, including collecting information from previously compromised email accounts to enhance authenticity.
Spoofing: They use legitimate domain names to spoof individuals from think tanks and academic institutions, creating fake usernames and impersonating organizations.
Web Beacons: Kimsuky recently began embedding web beacons in emails to track targets. A web beacon is an invisible pixel linked to an image server that reveals if an email address is active, along with information about the recipient’s network environment.

Indicators of Compromise (IoCs)

Proofpoint security researchers have noted common email subjects used by Kimsuky:

Invitation: August DPRK meeting

Draft: Taiwan Issue

Request: Meeting (Korean Embassy)

Invitation: Korea Global Forum 2024 (Seoul, February 20-21)

Event: Korea Society “Rumbles of Thunder and Endangered Peace on the Korean Peninsula”
Invitation: US Policy Toward North Korea – Pocantico Center February 6-8

Protecting Yourself and Your Organization

The FBI and NSA urge all email users to take immediate steps to secure their email domains:

Configure DMARC Properly: Set your DMARC policy to “quarantine” or “reject” in your email domain’s DNS settings. For example:
v=DMARC1; p=quarantine
v=DMARC1; p=reject
Check with Your IT Team: If you’re unsure about your organization’s DMARC policy, consult your IT team or web hosting provider to ensure proper configuration.
Final Insights and Mitigations

Dave Luber, NSA cybersecurity director, emphasized that spear-phishing remains a cornerstone of the North Korean cyber program. He urges organizations to follow the insights and mitigations outlined in the advisory to counter the threat.

05/07 Update: Proofpoint Security Researchers Analyze Recent Kimsuky Group Activity
Security firm Proofpoint, which tracks APT43 as TA427, highlights new tactics used by Kimsuky:

Impersonation: The group impersonates key North Korean experts in academia, journalism, and research.

Agility: Kimsuky adapts quickly, switching tactics and targets frequently.
Success Rate: The group’s success in phishing campaigns has emboldened them to remain agile.
Proofpoint researchers also confirmed that Kimsuky’s use of web beacons provides valuable reconnaissance information, revealing details like IP addresses, user-agents, and email opening times.

Stay Updated and Safe

For more cybersecurity insights and updates, stay tuned to our blog or reach out to NextGEN IT Solutions. Our team of experts can help your organization configure its DMARC policy and provide additional layers of cybersecurity to protect against threats like Kimsuky.