North Korean APT Group Kimsuky Expands Social Engineering Tactics

Written by

Security researchers have uncovered a new social engineering campaign orchestrated by the North Korean advanced persistent threat (APT) group known as Kimsuky.

The campaign, described in an advisory published on Tuesday by SentinelOne, specifically targets experts in North Korean affairs and aims to steal credentials and gather strategic intelligence.

“The social engineering tactics and some infrastructure characteristics closely relate to a Kimsuky activity privately reported by PwC and discussed in an NSA advisory published during the writing of this article,” reads the SentinelOne write-up.

The primary objective of the attacks is to steal Google and subscription credentials from a prominent news and analysis service focusing on North Korea. 

To achieve this goal, Kimsuky employs sophisticated tactics, including extensive email correspondence, spoofed URLs and the use of reconnaissance malware called ReconShark.

Read more on North Korean APTs: Experts Warn of Self-Funding North Korean Group APT43

In particular, SentinelOne observed Kimsuky attackers initiating contact by impersonating Chad O’Carroll, the founder of NK News and the associated holding company Korea Risk Group. 

They sent emails to their targets requesting a review of a draft article analyzing the nuclear threat posed by North Korea. If the targets engaged in the conversation, Kimsuky leveraged the opportunity to deliver a spoofed URL to a Google document, redirecting to a malicious website that captured Google credentials. 

Additionally, Kimsuky distributed emails that lured targeted individuals to log in on a fake NK News website, aiming to steal their subscription credentials.

According to the SentinelOne advisory, the campaign highlights Kimsuky’s growing dedication to social engineering and increasing interest in gathering strategic intelligence. 

“Gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives,” reads the advisory.

SentinelLabs concluded its advisory by urging organizations and individuals to remain vigilant and implement adequate security measures to mitigate the risks posed by Kimsuky’s persistent social engineering attacks.

Its publication comes weeks after SentinelOne Published a separate advisory describing a global spear-phishing campaign conducted by Kimsuky.

What’s hot on Infosecurity Magazine?