Mandiant identifies North Korea-linked APT43 cyber operator using cybercrime to fund espionage operations

Threat intelligence company Mandiant assessed Tuesday with ‘high confidence’ that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cyber crime to fund operations.

“APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues,” Mandiant researchers wrote in their latest research report. “APT43 has shared infrastructure and tools with known North Korean operators, highlighting its role and mission alignment in a wider state-sponsored cyber apparatus.”

The report added that targeting is regionally focused on South Korea and the U.S., as well as Japan and Europe, especially in the government, education/research/think tanks focused on geopolitical and nuclear policy, business services, and manufacturing sectors. “Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program, including collecting information about international negotiations, sanctions policy, and other country’s foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions,” they added.

The researchers also identified that in addition to its espionage campaigns, “we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure.”

Earlier this month, the Office of the Director of National Intelligence (ODNI) said in its latest annual report that North Korea increasingly will engage in illicit activities, including cyber theft and exporting UN-proscribed commodities, to fund regime priorities, such as the WMD (weapons of mass destruction) program. 

North Korea’s cyber program poses a sophisticated and agile espionage, cybercrime, and attack threat, ODNI reported. “Pyongyang’s cyber forces have matured and are fully capable of achieving a range of strategic objectives against diverse targets, including a wider target set in the United States. Pyongyang probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.”

The report identified that North Korea’s cyber program continues to adapt to global trends in cybercrime by conducting cryptocurrency heists, diversifying its range of financially motivated cyber operations, and continuing to leverage advanced social engineering techniques. In one heist in 2022, Pyongyang stole a record $625 million from a Singapore-based blockchain technology firm.

Publicly reported activities attributed to APT43 are frequently reported as ‘Kimsuky’ or ‘Thallium’ and include credential harvesting and espionage activity most likely intended to inform North Korean leadership on ongoing geopolitical developments, Mandiant reported. Furthermore, their most frequently observed operations are spear-phishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics. Domains masquerading as legitimate sites are used in credential-harvesting operations.

“APT43 maintains a high tempo of activity, is prolific in its phishing and credential collection campaigns, and has demonstrated coordination with other elements of the North Korean cyber ecosystem,’ the researchers highlighted.  

Mandiant also disclosed that since 2018, APT43 collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service. The group’s focus on foreign policy and nuclear security issues supports North Korea’s strategic and nuclear ambitions. However, the group’s focus on health-related verticals throughout the majority of 2021, likely in support of pandemic response efforts, highlights its responsiveness to shifting priorities from Pyongyang.

The researchers disclosed that APT43 most commonly leverages tailored spear-phishing emails to gain access to victim information. However, the group also engages in various other activities to support collecting strategic intelligence, including using spoofed websites for credential harvesting and carrying out cybercrime to fund itself. “The actors regularly update lure content and tailor it to the specific target audience, particularly around nuclear security and non-proliferation.”

“APT43 is adept at creating convincing personas, including masquerading as key individuals within their target area (such as security and defense), as well as leveraging stolen personally identifiable information (PII) to create accounts and register domains,” Mandiant revealed. The operator also uses highly relevant lure content together with spoofed email addresses, leveraging contact lists stolen from compromised individuals to identify additional targets for spear-phishing operations.

Furthermore, APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s ‘juche’ state ideology of self-reliance, reducing fiscal strain on the central government, the researchers observed.

The Mandiant researchers consider cyber espionage to be the primary mission for APT43 and available data indicates that the group’s other activities are carried out to support collecting strategic intelligence. “The group is primarily interested in information developed and stored within the U.S. military and government, defense industrial base (DIB), and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation.”

APT43 also operates credential collection campaigns to directly compromise financial data, PII, and client data from entities within the academic, manufacturing, and national security industries—especially in South Korea. In particular, the group registers domains masquerading as popular search engines, web platforms, and cryptocurrency exchanges in relevant target countries of interest. “We believe these credentials are used to support operations that further APT43 missions,” the researchers added.

“APT43 has targeted cryptocurrency and cryptocurrency-related services. In contrast to other North Korean groups such as APT38, which are likely primarily tasked to bring in funds for the regime, APT43 most likely carries out such operations to sustain its own operations,” the researchers said. 

Mandiant assessed the prevalence of financially-motivated activity among North Korean groups, even among those which have historically focused on cyber espionage, suggest a widespread mandate to self-fund and an expectation to sustain themselves without additional resourcing.

The researchers also found that APT43 relies on a relatively large toolkit composed of both non-public malware and widely available tools. Most open-source reporting on APT43 tracks the group using LATEOP (known publicly as ‘BabyShark’), but “we have observed a steady evolution and expansion of the operation’s malware library over time.”

Identifying that some of the tools borrow code heavily from preceding tools, implementing improvements and adding features, the Mandiant researchers said that the group had deployed publicly available malware including gh0st RAT, QUASARRAT, and AMADEY, but its activities are much better known for being associated with LATEOP, a backdoor based on VisualBasic scripts. “APT43 has developed different variants of some of their tools, enabling multi-platform targeting. For example, we have identified an Android variant of PENCILDOWN, a Windows-based downloader,” they added.

Mandiant also reported that APT43 operations have, at times, overlapped with those of other North Korean cyber espionage operators. “However, we assess these groups to be distinct and separate and believe the overlaps are likely the result of ad hoc collaborations or other limited resource sharing. These overlaps principally take the form of malware families that had historically been used by a single North Korean cluster being employed by additional actors.”

In conclusion, the Mandiant report said that barring a drastic change in North Korea’s national priorities, “we expect that APT43 will remain highly prolific in carrying out espionage campaigns and financially-motivated activities supporting these interests. We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously-developing operations reflect the country’s sustained investment and reliance on groups like APT43.”

Earlier this month, Mandiant investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected UNC3886 Chinese-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments. These hackers have been identified to ‘continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors, and VPN technologies.’

Mandiant also provided a comprehensive analysis of recent activity by hacktivists targeting OT (operational technology) systems, leveraging information from previously undisclosed and known incidents to discuss the potential implications for OT defenders. Awareness about emerging hacktivism trends helps OT defenders to prioritize countermeasures and differentiate state-sponsored fronts leveraging the hacktivism cloak.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.