North Korean APT Group Uses Social Engineering Attacks to Gather Intelligence, Cybersecurity Experts Warn

A malicious campaign with the objective of delivering reconnaissance malware as well as stealing email and NK news subscriber credentials has been initiated by a threat group having aligned interests with North Korea.

On June 7, SentinelOne’s cybersecurity researchers disclosed Kimsuky’s campaign details that specifically targets experts on North Korean affairs. ‘’Based on the used malware, infrastructure, and tactics, we assess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor,’’ noted the advisory. The disclosure comes in wake of the joint warning released by US and South Korean intelligence agencies, alerting Kimsuky’s use of exfiltrating malware and spear-phishing tools to illicitly gather data and credentials of targets.

To gather favorable strategic intelligence, North Korean advanced persistent threat (APT) group expands its social engineering tactics to target think tanks, academia, and media experts in the US. Their sophisticated methods include spoofed URLs, extensive email correspondence and use of reconnaissance malware, ReconShark.

To establish trust and engage with the target, it was found that the threat actor had impersonated Chad O’Carroll, founder of NK News. SentinelOne’s investigation also revealed the use of HTML-formatted phishing email containing spoofed URLs. The seemingly legitimate Google Doc URLs redirects the user to a malicious website. This is done with the aim of capturing the target’s Google credentials.

Moreover, Kimsuky was also seen using spoofed URL emails that redirect the target to a fake NK login site, helping them steal user credentials for NK News subscription service. The news site is known for its detailed reports and expert analysis on North Korea. Access to these reports helps the threat actor achieve its broader objective of strategic intelligence-gathering initiatives.

A few months ago, German and South Korean intelligence agencies had issued an advisory, alerting Gmail and AOL users of Kimsuky’s malicious campaign to steal their credentials.

To mitigate the risk of similar attacks, experts recommend users to exercise caution and deploy effective security measures.