A group of cyber spies who are believed to be backed by the North Korean government, have been identified as posing as journalists and academics, to trick individuals into providing sensitive information that can be used for espionage. The group, identified as APT43, has been tracked for five years by Google Cloud's cybersecurity subsidiary firm, Mandiant.
The group has also been referred to as "Kimsuky" or "Thallium" by other firms. Mandiant's analysts have attributed activity to the group, and have noted that APT43 has targeted South Korean and U.S. government organizations and think tanks that deal with North Korean geopolitical issues.
Additionally, the group engages in cybercrime to steal and launder cryptocurrency. The report reveals that APT43 spoofs the websites of legitimate organisations to trick its targets into giving out information. The group's fluidity in adapting to the needs of the regime and shifting their targeting accordingly has raised concerns among experts.
The primary method used by APT43 involves impersonating journalists or experts in phishing emails. The group aims to extract information from its targets by posing as a reporter or a think tank analyst. A common tactic is to ask experts and academics to answer questions related to North Korea, thereby collecting intelligence. The attackers often pretend to be well-known individuals in their respective fields, in order to build trust and rapport before requesting strategic analysis on specific topics. By using this approach, APT43 can easily deceive its victims into divulging sensitive information that can be used for spying.
According to Mandiant, there has been a shift in APT43's activities, with an increased focus on targeting the healthcare sector. The aim of these attacks is likely to gather information that can be used to support a North Korean response to COVID-19.
