Mandiant has revealed a new North Korean APT group that uses crypto theft to fund its main goal of cyber-espionage for the Kim Jong-un regime.
APT43 is a prolific state actor whose publicly reported activities have sometimes been attributed to “Kimsuky” or “Thallium.” It is apparently linked to the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service.
The group is notable for its prolific spear-phishing campaigns, supported by “aggressive” social engineering and spoofed domains/email addresses. The end goal is to harvest information aligned with foreign policy and nuclear security issues, although it switched to healthcare targets in 2021 likely as a result of the pandemic, Mandiant said.
Its main targets are South Korean and US-based government organizations, academics and think tanks focused on Korean geopolitical issues.
Read more on North Korean APT groups: Norway Seizes Millions in North Korean Crypto.
The group has created many spoofed and fake personas for its social engineering efforts, and sometimes also uses them as cover identities for buying operational tooling and infrastructure. Mandiant claimed that it engages targets over several weeks, in some cases tricking its victims into handing over information without even needing to deploy malware.
“We’ve seen the group posing as journalists to inquire into matters of intelligence interest to the DPRK regime, targeting European organizations,” explained Michael Barnhart, Mandiant principal analyst, Google Cloud.
“We’ve seen APT43 be extremely successful with these fake reporter emails, generating high success rates in eliciting a response from targets. This serves as a reminder to verify the addresses and identities of the people you’re speaking to.”
Perhaps most interestingly, the group is self-funded, targeting individual victims rather than cryptocurrency exchanges to generate revenue for its state-focused operations, Mandiant claimed.
One such effort used a malicious Android app to target probable Chinese users looking for cryptocurrency loans. Mandiant has also tracked 10 million “phishing NFTs” delivered to crypto users on multiple blockchains since June 2022.
“By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target,” argued Mandiant principal analyst Joe Dobson.
“Their pace of execution, combined with their success rate, is alarming; especially when you consider that most funds stolen by DPRK cyber-operators are going back to the regime to fund its development of nuclear bombs.”
APT43 also uses hash rental and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency.
“Imagine you stole millions of dollars in gold, and while everyone is looking for stolen gold, you pay silver miners with stolen gold to excavate silver for you. Similarly, APT43 deposits stolen cryptocurrency into various cloud mining services to mine for a different cryptocurrency,” explained Barnhart.
“For a small fee, DPRK walks away with untracked, clean currency to do as they wish. Based on our knowledge of this actor and the other associated groups, it is very likely that the other DPRK aligned APTs are using the same services to launder their illicit funds.”