North Korean actor APT43 returns to strategic cyber espionage

When it comes to threat actors working for the North Korean government, most people have heard of the Lazarus Group (APT38). It was responsible for the 2014 attack on Sony Pictures, the cyber theft of Bangladeshi central bank funds in 2016, and the WannaCry ransomware worm in 2017. However, another team that security researchers call APT43, Kimsuky, or Thallium has been conducting cyber espionage and cyber crime operations at the request of the North Korean government since at least 2018.

APT43 specializes in credential harvesting and social engineering with a focus on foreign policy and nuclear security issues, topics that align with North Korea’s strategic nuclear goals. The group temporarily pivoted to target health-related verticals in 2021, reflecting the then-Pyongyang regime’s focus on tackling the COVID-19 pandemic. Since 2022, APT43 has been seen targeting so-called trail two diplomatic channels, including religious groups, universities, non-governmental organizations, journalists, academics, bloggers and human rights activists. male.

“APT43’s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service,” said researchers at Google-owned cybersecurity firm Mandiant. a new report. “Although the overall scope of targeting is broad, the ultimate goal of the campaigns is most likely centered on activating North Korea’s weapons program, including gathering information on international negotiations, sanctions and the foreign relations and domestic politics of other countries, as these may affect North Korea’s nuclear ambitions.”

Collecting credentials in support of highly targeted phishing campaigns

There is no evidence that APT43 has ever used zero-day exploits in its operations like other state-sponsored APTs do, but the group is very good at social engineering. Its phishing email campaigns are highly tailored to the interests of its victims and often involve impersonation or the creation of very believable personas.

APT43 posed as key people in the security and defense sectors, as well as journalists and think tank analysts to build a relationship with their targets. Sometimes they don’t even need to deploy malware because they can extract the information they are interested in by having email conversations with the victim. In one case highlighted by Mandiant, APT43 operators posed as a reporter working on a story following some of the North Korean missile tests and managed to extract strategic analysis from an academic. .

The group also registers many domains and builds many websites, often with personally identifiable information (PII) stolen from real people in certain industries to make the websites more credible. They also engage in cybercriminal activities, especially theft and laundering of cryptocurrency to fund their infrastructure needs.

Some of APT43’s websites impersonate institutions or services specific to their target audience, such as university portals, search engines, web platforms, and they are used to host phishing pages for the purpose of collect identifying information. It is believed that these credentials are then used to further the operations of the group. For example, contact lists stolen from compromised email addresses are used to uncover other targets for social engineering.

“The group is primarily interested in information developed and stored within the U.S. military and government, the Defense Industrial Base (DIB), and research and security policies developed by U.S. universities and think tanks. focused on nuclear security policy and non-proliferation,” Le Mandiant said. the researchers said. APT43 has shown interest in similar industries in South Korea, especially nonprofits and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information on goods whose export to North Korea has been restricted. This includes fuel, machinery, metals, transport vehicles and weapons. »

Besides South Korea and the United States, which are at the top of the North Korean government’s intelligence-gathering activities, APT43 has also targeted organizations and individuals from Japan and Europe.

The APT43 Malware Toolkit

APT43 also uses an extensive public and custom malware toolkit. For example, the group uses off-the-shelf remote access trojans such as Ghost RAT, QUASARRAT, XRAT, and Amadey. However, it is best known for a custom backdoor built from Visual Basic scripts known as LATEOP or BabyShark.

The group is constantly improving its arsenal, building on older versions and adding new features. This involves creating versions of its malware for other platforms. An example is with a Windows malware downloader that Mandiant tracks on PENCILDOWN and for which APT43 has created an Android variant.

There is evidence that APT43 collaborates and shares some of the tools with other North Korean state-sponsored groups, including Lazarus and other activity groups that are tracked separately from these two known groups but may be associated .

For example, during campaigns targeting organizations involved in the COVID-19 response globally, “A subset of APT43 almost certainly worked closely with other RGB-related units, including the sharing existing malware tools, developing new tools initially used in the expanded task, and carrying out sustained campaigns against healthcare research and related organizations,” Mandiant said.

This saw APT43 using a version of HANGMAN, a backdoor usually linked to Lazarus, as well as ENDOWN, VENOMBITE and EGGHATCH, downloaders derived from existing APT43 tools like PENCILDOWN. In another operation targeting cryptocurrency, APT43 deployed LONEJOGGER, a tool associated with a cluster of activities that Mandian tracks as UNC1069 and which displays links to Lazarus.

North Korean threat actors have a long history of money theft and cybercrime, which matches the government’s dire financial situation and need for funds. APT43 has been very active in cryptocurrency, stealing assets from users and using hash rental and cloud mining services to launder stolen cryptocurrency. Mandiant believes that the main objective of these operations is for the group to be self-sufficient and finance its own operational needs without burdening the government.

“Barring a drastic shift in North Korea’s domestic priorities, we expect APT43 to remain highly prolific in carrying out espionage campaigns and financially motivated activities supporting these interests,” they said. said the Mandian researchers. “We believe that North Korea has become increasingly reliant on its cyber capabilities and that APT43’s persistent and continuously developing operations reflect the country’s continued investment in and reliance on groups like APT43.”

The Mandiant report contains a comprehensive list of APT43-related malicious tools, indicators of compromise and file hashes as well as TTPs from the MITER ATT&CK framework.