Report finds that North Korea-associated TA406 hacker recycles tactics and targets
A veteran hacker group from the Democratic People’s Republic of Korea (DPRK) has resurfaced using malware that could be exploited for information gathering. The TA406 hacker group has been known previously by other names.
Proofpoint has released a threat report on the ongoing credential theft campaigns from the TA406 hacker who engages in espionage, cybercrime, and sextortion. Analysts from Proofpoint have tracked TA406 hacker campaigns targeting customers since 2018, but these attacks remained low in volume until the beginning of January this year.
“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said in its report. “From January through June 2021, Proofpoint observed almost weekly campaigns targeting foreign policy experts, journalists and nongovernmental organizations (NGOs).” The TA406 does not usually employ malware in campaigns. However, two notable 2021 campaigns attributed to this group attempted to distribute malware that could be used for information gathering.
Proofpoint does not associate TA406 with other publicly known groups. The activity tracked as TA406 by Proofpoint is often referred to publicly as ‘Kimsuky,’ Thallium, and Konni Group. For most researchers and vendors, including Proofpoint, TA406 falls under the Kimsuky umbrella. Kimsuky was first named publicly by Kaspersky in research published in 2013, which the Russian cybersecurity firm described as a “somewhat unsophisticated spy program that communicated with its ‘master’ via a public e-mail server.”
Much like Lazarus Group, the hacker name Kimsuky has developed into a catchall name for numerous clusters of activity. While Proofpoint broadly agrees that TA406 likely has organizational ties to what Kaspersky and other threat researchers have tracked as Kimsuky, visibility into operator behavior and patterns of targeting allow Proofpoint to cluster activity groups tracked as Kimsuky more granularly into three distinct threat hacker groups, TA406, TA408 and TA427, and several unidentified hackers, the company said.
The TA406 hacker group has conducted espionage-motivated campaigns since at least 2012 and financially motivated campaigns since at least 2018. TA406 is known to use spear-phishing messages to deliver both malware and credential harvesting campaigns. TA406 has used many different malware families, including KONNI, SANNY, CARROTBAT/CARROTBALL, BabyShark, Amadey, and Android Moez.
The Proofpoint report disclosed that the TA406 hacker conducts credential-phishing campaigns that target experts at political and foreign policy organizations and NGOs, especially those who are working with or are experts on activities that impact the Korean Peninsula, including nuclear nonproliferation. TA406 also targets academics and journalists.
Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the hackers frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. The TA406 hacker has also targeted individuals and organizations related to cryptocurrency for financial gain. One campaign in 2021 conducted by TA406 had drastically different targeting than normal for unknown reasons.
The campaign occurred around the same time as the March 2021 North Korean missile tests and targeted several organizations and individuals not previously observed as targets for TA406, Proofpoint said. The recipients of that campaign included some of the highest-ranking elected officials of several different governmental institutions, an employee at a consulting firm, government institutions related to defense, law enforcement, and economy and finance, and generic mailboxes for board and customer relations of a large financial institution.
Such diverse and high-profile targeting is unusual for TA406 and the timing of this campaign which coincided with prominent missile testing may have been a political signal rather than an intent to collect credentials.
On the other hand, TA406 and other hackers associated with DPRK are opportunistic and would likely capitalize on stolen credentials if any of the recipients or organizations had fallen victim to the campaign. Before 2021, Proofpoint had observed limited credential-capture campaigns using national security or human rights themes. TA406 was also one of the first threat hackers to use coronavirus themes, appearing in Proofpoint data before nearly every other criminal or advanced persistent threat (APT) in February 2020.
Early this year, the TA406 hacker began almost weekly campaigns featuring themes that included nuclear weapon safety, U.S. President Joe Biden, Korean foreign policy, and other political themes. The group attempted to collect credentials, such as Microsoft logins or other corporate credentials, from the targeted individuals. In some cases, the emails were benign, these messages may have been attempts by the attackers to engage with victims before sending them a malicious link or attachment.
Proofpoint anticipates that “this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” it concluded.
Earlier this week, a Congressional Research Service (CRS) report identified two categories of cyberattacks by foreign adversaries against entities in the U.S., with 23 cyberattack campaigns that the federal government has attributed to hackers operating on behalf of other nation-states, and another 30 cyberattacks that the government has attributed to criminal attackers seeking personal gain. In investigating cyber incidents, the U.S. government attempts to unmask those behind the incident and attribute it as an attack, Chris Jaikaran, an analyst in cybersecurity policy, the report revealed.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
