North Korean Group Kimsuky Exploits DMARC and Web Beacons

Written by

Security researchers have uncovered new tactics associated with the threat actor TA427, also known as Emerald Sleet, APT43, THALLIUM or Kimsuky. 

This group, believed to be aligned with North Korea’s Reconnaissance General Bureau, has been observed engaging in email phishing campaigns targeting experts for insights into US and South Korean foreign policies.

According to an advisory published by Proofpoint on Tuesday, TA427 has directly contacted foreign policy experts since 2023, soliciting their opinions on topics such as nuclear disarmament, US-South Korean policies and sanctions through seemingly benign email conversations.

In recent months, there has been a noticeable increase in this activity, with TA427 employing social engineering tactics, regularly changing email infrastructures and, more recently, abusing lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas. 

They have also started using web beacons, small invisible objects embedded in emails or web pages, for target profiling since February 2024.

Read more on DMARC security: Just 1% of Dot-Org Domains Are Fully DMARC Protected

This pattern of engagement and the tactics utilized by TA427 have raised concerns, Proofpoint warned. The group appears adept at social engineering, aiming to augment North Korean intelligence on foreign policy matters. By engaging targets in extended conversations, often over weeks or months, and using tailored lure content, TA427 builds rapport and seeks information without immediately resorting to malware or credential harvesting.

The targets of TA427’s phishing campaigns include experts in think tanks, NGOs, media, academia and government. The group impersonates individuals from these sectors to increase the legitimacy of their requests for information or engagement. Beyond DMARC abuse, they also rely on typosquatting or spoofing private email accounts to masquerade as trusted personalities or organizations.

The use of web beacons is a recent addition to TA427’s tactics, enabling them to gather fundamental information about recipients’ network environments. 

“While the campaigns noted in this blog are not fleecing targets out of millions of dollars, this activity goes after something that is infinitely more difficult to quantify: information and influence,” Proofpoint wrote.

“With a clear degree of success, TA427 shows no indication of slowing down or losing its agility in adjusting its tactics and standing up new infrastructure and personas with expediency.”

What’s hot on Infosecurity Magazine?