Entertainment
North Korean actor APT43 returns to strategic cyber espionage
When it comes to threat actors working for the North Korean government, most people have heard of the Lazarus Group (APT38). It was responsible for the 2014 attack on Sony Pictures, the cyber theft of Bangladeshi central bank funds in 2016, and the WannaCry ransomware worm in 2017. However, another team that security researchers call APT43, Kimsuky, or Thallium has been conducting cyber espionage and cyber crime operations at the request of the North Korean government since at least 2018.
APT43 specializes in credential harvesting and social engineering with a focus on foreign policy and nuclear security issues, topics that align with North Korea’s strategic nuclear goals. The group temporarily pivoted to target health-related verticals in 2021, reflecting the then-Pyongyang regime’s focus on tackling the COVID-19 pandemic. Since 2022, APT43 has been seen targeting so-called trail two diplomatic channels, including religious groups, universities, non-governmental organizations, journalists, academics, bloggers and human rights activists. male.
“APT43’s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service,” said researchers at Google-owned cybersecurity firm Mandiant. a new report. “Although the overall scope of targeting is broad, the ultimate goal of the campaigns is most likely centered on activating North Korea’s weapons program, including gathering information on international negotiations, sanctions and the foreign relations and domestic politics of other countries, as these may affect North Korea’s nuclear ambitions.”
Collecting credentials in support of highly targeted phishing campaigns
There is no evidence that APT43 has ever used zero-day exploits in its operations like other state-sponsored APTs do, but the group is very good at social engineering. Its phishing email campaigns are highly tailored to the interests of its victims and often involve impersonation or the creation of very believable personas.
APT43 posed as key people in the security and defense sectors, as well as journalists and think tank analysts to build a relationship with their targets. Sometimes they don’t even need to deploy malware because they can extract the information they are interested in by having email conversations with the victim. In one case highlighted by Mandiant, APT43 operators posed as a reporter working on a story following some of the North Korean missile tests and managed to extract strategic analysis from an academic. .
The group also registers many domains and builds many websites, often with personally identifiable information (PII) stolen from real people in certain industries to make the websites more credible. They also engage in cybercriminal activities, especially theft and laundering of cryptocurrency to fund their infrastructure needs.
Some of APT43’s websites impersonate institutions or services specific to their target audience, such as university portals, search engines, web platforms, and they are used to host phishing pages for the purpose of collect identifying information. It is believed that these credentials are then used to further the operations of the group. For example, contact lists stolen from compromised email addresses are used to uncover other targets for social engineering.
“The group is primarily interested in information developed and stored within the U.S. military and government, the Defense Industrial Base (DIB), and research and security policies developed by U.S. universities and think tanks. focused on nuclear security policy and non-proliferation,” Le Mandiant said. the researchers said. APT43 has shown interest in similar industries in South Korea, especially nonprofits and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information on goods whose export to North Korea has been restricted. This includes fuel, machinery, metals, transport vehicles and weapons. »
Besides South Korea and the United States, which are at the top of the North Korean government’s intelligence-gathering activities, APT43 has also targeted organizations and individuals from Japan and Europe.
The APT43 Malware Toolkit
APT43 also uses an extensive public and custom malware toolkit. For example, the group uses off-the-shelf remote access trojans such as Ghost RAT, QUASARRAT, XRAT, and Amadey. However, it is best known for a custom backdoor built from Visual Basic scripts known as LATEOP or BabyShark.
The group is constantly improving its arsenal, building on older versions and adding new features. This involves creating versions of its malware for other platforms. An example is with a Windows malware downloader that Mandiant tracks on PENCILDOWN and for which APT43 has created an Android variant.
There is evidence that APT43 collaborates and shares some of the tools with other North Korean state-sponsored groups, including Lazarus and other activity groups that are tracked separately from these two known groups but may be associated .
For example, during campaigns targeting organizations involved in the COVID-19 response globally, “A subset of APT43 almost certainly worked closely with other RGB-related units, including the sharing existing malware tools, developing new tools initially used in the expanded task, and carrying out sustained campaigns against healthcare research and related organizations,” Mandiant said.
This saw APT43 using a version of HANGMAN, a backdoor usually linked to Lazarus, as well as ENDOWN, VENOMBITE and EGGHATCH, downloaders derived from existing APT43 tools like PENCILDOWN. In another operation targeting cryptocurrency, APT43 deployed LONEJOGGER, a tool associated with a cluster of activities that Mandian tracks as UNC1069 and which displays links to Lazarus.
North Korean threat actors have a long history of money theft and cybercrime, which matches the government’s dire financial situation and need for funds. APT43 has been very active in cryptocurrency, stealing assets from users and using hash rental and cloud mining services to launder stolen cryptocurrency. Mandiant believes that the main objective of these operations is for the group to be self-sufficient and finance its own operational needs without burdening the government.
“Barring a drastic shift in North Korea’s domestic priorities, we expect APT43 to remain highly prolific in carrying out espionage campaigns and financially motivated activities supporting these interests,” they said. said the Mandian researchers. “We believe that North Korea has become increasingly reliant on its cyber capabilities and that APT43’s persistent and continuously developing operations reflect the country’s continued investment in and reliance on groups like APT43.”
The Mandiant report contains a comprehensive list of APT43-related malicious tools, indicators of compromise and file hashes as well as TTPs from the MITER ATT&CK framework.
Copyright © 2023 IDG Communications, Inc.
Sources 2/ https://www.csoonline.com/article/3692288/north-korean-threat-actor-apt43-pivots-back-to-strategic-cyberespionage.html The mention sources can contact us to remove/changing this article |
What Are The Main Benefits Of Comparing Car Insurance Quotes Online
LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos
to request, modification Contact us at Here or [email protected]