North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
U.S. cybersecurity agencies have issued a joint advisory highlighting attempts by the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. Without properly configured DMARC policies, malicious cyber actors can send spoofed emails as if they came from a legitimate domain’s email exchange.
“The North Korean cyber actors have conducted spearphishing campaigns posing as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles,” the Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) detailed in a Thursday advisory. “North Korea leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications.”
The advisory outlines that North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. “The United States Government (USG) has observed sustained information-gathering efforts originating from North Korean cyber actors. North Korea’s premier military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities,” it added.
Furthermore, the agencies assess the principal goals of North Korea’s regime cyber program including maintaining consistent access to current intelligence about the U.S., South Korea, and other countries of interest to impede any perceived political, military, or economic threat to the regime’s security and stability.
“The USG and private sector cybersecurity companies currently track the specific set of North Korean cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Emerald Sleet, APT43, Velvet Chollima, and Black Banshee (herein referred to as Kimsuky),” the advisory said. “Kimsuky is administratively subordinate to the 63rd Research Center, an element within North Korea’s RGB, and has conducted broad cyber campaigns in support of RGB objectives since at least 2012.”
Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts. Successful compromises further enable Kimsuky actors to craft more credible and effective spearphishing emails, which can then be leveraged against more sensitive, higher-value targets.
The advisory seeks to bring awareness of these campaigns to degrade or minimize the effectiveness of Kimsuky spearphishing operations. “This advisory provides detailed information on how Kimsuky actors exploit DMARC policies; red flags to consider when encountering common themes and campaigns; and general mitigation measures for entities worldwide to implement to better protect against Kimsuky’s computer network exploitation (CNE) operations,” it added.
The hackers may also use content from emails of previously compromised email accounts to enhance the seeming authenticity of their spoofed emails, the advisory identified. “In addition to convincing email messages, Kimsuky cyber actors have been observed creating fake usernames and using legitimate domain names to impersonate individuals from trusted organizations, including think tanks and higher education institutions, to gain trust and build rapport with email recipients. Spoofed emails do not come from the trusted organization’s actual domain email exchange, but rather from the actor-controlled email address and domain.”
The advisory listed activity that the sector targets should be aware of the following activity that may be indications or behaviors of malicious North Korean cyber actors.
It also highlighted indicators or behaviors that sector targets should be vigilant about, as they could signify malicious activities by North Korean cyber actors. These include innocuous initial communication with no malicious links/attachments, followed by communications containing malicious links/documents, potentially from a different, seemingly legitimate, email address; email content that may include real text of messages recovered from previous victim engagement with other legitimate contacts; and emails in English that have awkward sentence structure and/or incorrect grammar.
It also pointed to emails or communications targeting victims with either direct or indirect knowledge of policy information, including U.S. and ROK government employees/officials working on North Korea, Asia, China, and/or Southeast Asia matters; U.S. and ROK government employees with high clearance levels; and members of the military.
It also included email accounts that are spoofed with subtle incorrect misspellings of legitimate names and email addresses listed in a university directory or an official website; malicious documents that require the user to click ‘Enable Macros’ to view the document; follow-up emails within two to three days of initial contact if the target does not respond to the initial spearphishing email; and emails purporting to be from official sources but sent using unofficial email services, identifiable through the email header information being a slightly incorrect version of an organization’s domain.
The FBI, Department of State, and NSA called upon organizations to improve their cybersecurity posture of DMARC security policies by aligning with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide minimum practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures.
For email security specifically, the advisory “recommends enabling DMARC and setting it to ‘reject.’ Missing DMARC policies or DMARC policies with ‘p=none’ indicate that the receiving email server should take no security action on emails that fail DMARC checks and allow the emails to be sent through to the recipient’s inbox.”
It also called upon organizations to make their policy stricter and signal to email servers to consider unauthenticated emails as spam, the authoring agencies recommend mitigating this threat by updating the organization’s DMARC policy.
Related
