Kimsuky now impersonate targets to collect intel. NSA, FBI and ROK illustrate the DPRK hackers TTP used to lure the victims and steal sensitive info. Especially with social engineering and spear phishing

DPRK-sponsored hackers are impersonating trusted sources to collect sensitive information. Rob Joyce, NSA director of Cybersecurity, denounced it. The agencies — the Federal Bureau of Investigation (FBI), U.S. Department of State, and the Republic of Korea’s (ROK) National Intelligence Service, National Policy Agency, and Ministry of Foreign Affairs — have observed sustained information gathering efforts originating from a specific set of North Korea’s cyber actors known collectively as Kimsuky, THALLIUM, or VELVETCHOLLIMA. The Threat Actors employ social engineering techniques to enable much of Pyongyang’s malicious CNE. Among them, Kimsuky uses spear phishing—or the use of fabricated emails and digital communications tailored to deceive a target—as one of their primary vectors for initiating a compromise and gaining access into a target’s devices and networks.

How the Kimsuky spear phishing campaigns work

Kimsuky cyber actors craft their spear phishing campaigns around themes characterizing the target, message content, and the malicious mechanism, or lure, through which a compromise is initiated. The main themes to beware of are impersonations and targeting of journalists, academic scholars, and think tank researchers to:

• solicit responses to foreign policy-related inquiries,
• conduct a survey,
• request an interview,
• review a document,
• request a resume
• offer payment for authoring a research paper.

Kimsuky actors tailor their themes to their target’s interests and will update their content to reflect current events discussed among the community of North Korea watchers.

The “risk” indicators

According to NSA, FBI and ROK, the DPRK hackers targets should check if:

• Initial communications are often seemingly innocuous with no malicious links/attachments; follow-on communications usually contain malicious links/documents to facilitate exploitation of a computer or network.
• Email content may include real text of messages recovered from previous victim engagement with other legitimate contacts.
• Emails in English may sometimes have awkward sentence structure and/or incorrect grammar.
• Email content may contain a distinct Korean dialect exclusively used in North Korea.
• Victims/targets with both direct and indirect knowledge of policy information i.e., U.S. and ROK government employees/officials working on North Korea, Asia, China, Southeast Asia matters; U.S. and ROK government employees with high clearance levels; and members of the military, are approached with common themes and questions as referenced in this advisory.
• Email domains look like a legitimate news media site, but do not match the domain of the company’s official website. The domains also may be identified as such in open-source malware repositories like Virus Total.
• Spoofed email accounts have subtle incorrect misspellings of the names and email addresses of the legitimate ones listed in a university directory or an official website.
• Malicious documents require the user to click “Enable Macros” to view the document.
• Actors are persistent if the target does not respond to the initial spearphishing email. They will likely send a follow-up email within 2-3 days of initial contact.
• Emails purporting to be from official sources but sent using unofficial email services.