»Read Standard Version«
When Daniel DePetris, a global affairs expert based in the United States, got an email in October from the director of the 38 North think tank requesting an article, it appeared to be business as usual.
It was not the case.
According to people involved and three cybersecurity professionals, the sender was actually a putative North Korean spy seeking information.
Instead of infecting his computer and stealing sensitive data, as hackers normally do, the sender appeared to be impersonating 38 North director Jenny Town in an attempt to elicit his thoughts on North Korean security vulnerabilities.
DePetris told Reuters, referring to Town, “I understood it wasn’t legitimate when I contacted the person with follow-up inquiries and discovered there had been no request made and that this person was also a target.” So I quickly realized that this was a widespread effort.
According to cybersecurity experts, five targeted individuals, and emails obtained by Reuters, the email is part of a new and previously unknown campaign by a suspected North Korean hacker outfit.
It has been reported that North Korean spies send emails to targets in which they request passwords or open malware-laden attachments or links.
The cyber outfit, which researchers have variously dubbed Thallium or Kimsuky, has long employed “spear-phishing” emails that fool targets into divulging passwords or clicking malware-laden attachments or links. Now, though, it also appears to request comments or reports from researchers and other specialists.
According to emails acquired by Reuters, China’s stance in the event of a new nuclear test and whether a “quieter” approach to North Korean “aggressive” could be needed were also discussed.
According to James Elliott of the Microsoft Threat Intelligence Center (MSTIC), the new strategy first surfaced in January. “The attackers are having a lot of success with this quite basic method,” he stated. The attackers have drastically altered the procedure.
MSTIC stated that it has identified “many” North Korean specialists who submitted information to a Thallium attacker account.
According to the cybersecurity researchers, the professionals and analysts targeted by the campaign are crucial in moulding international public opinion and foreign countries’ policies toward North Korea.
According to a 2020 study by U.S. federal cybersecurity organizations, Thallium has been operational since 2012 and “is most certainly assigned a global intelligence gathering role by the North Korean leadership.”
According to Microsoft, Thallium has historically targeted government employees, think tanks, academia, and human rights organizations.
North Korea has denied involvement in any cybercriminal activity.
“The attackers are getting the information straight from the horse’s mouth, if you will, so they don’t have to sit there and evaluate it,” Elliot said.
NEW TACTICS
North Korean hackers are notorious for hacks that netted millions of dollars, including an attack on Sony Pictures over a film deemed disrespectful to its leader and data thefts from pharmaceutical and defense industries, foreign governments, and others.
The embassy of North Korea in London did not respond to a request for comment, but previously denied involvement in cybercrime.
Saher Naumaan, chief threat intelligence analyst at BAE Systems Applied Intelligence, stated that in prior operations, Thallium and other hackers spent weeks or months cultivating trust with a target before distributing dangerous software.
Microsoft reports that the gang now communicates in some cases with experts without ever distributing infected files or links, even after victims reply.
This strategy is faster than stealing a user’s account and sifting through their emails, circumvents standard technological security measures that would analyze a communication for dangerous content, and gives spies direct access to the experts’ thoughts, according to Elliot.
“It’s quite difficult for us as defenders to block these emails,” he added, adding that in most situations it’s up to the recipient to figure it out.
Before realizing what had occurred, analysts had submitted comprehensive reports or manuscript evaluations on studies commissioned by the attackers.
Town stated that several purported communications from her had been sent from an email address ending in “.live” as opposed to her official account, which finishes in “.org”, but had copied her whole signature line.
In one instance, she said, she was featured in a bizarre email exchange in which the suspect, posing as her, replied to her.
The emails he has received, according to DePetris, a fellow at Defense Priorities and columnist for various newspapers, are worded as if a researcher is requesting a paper submission or feedback on a draft.
“They were extremely sophisticated, with think tank insignia affixed to the correspondence to make the inquiry appear official,” he claimed.
Approximately three weeks after receiving the spoofed email from 38 North, a separate hacker impersonated him and emailed others to review a draft, according to DePetris.
This email, which was shared with Reuters by DePetris, offers $300 for reading a manuscript on North Korea’s nuclear program and requests suggestions for additional potential reviewers. Elliot stated that the hackers had never compensated anyone for their research or comments and had no intention of doing so.
GATHERING INFORMATION
As North Korea’s isolation has intensified because to sanctions and the epidemic, Western intelligence agencies believe Pyongyang has become more reliant on cyber campaigns, a security source in Seoul told Reuters on condition of anonymity in order to discuss intelligence concerns.
Start the day with essential information
The Morning Report provides the most recent news, videos, images, and more.
In a March 2022 report, a panel of experts investigating North Korea’s violations of U.N. sanctions described Thallium’s operations as “constituting espionage aimed to inform and aid” the country’s sanctions evasion.
In some instances, according to Town, attackers commissioned papers, and analysts delivered whole reports or manuscript evaluations before discovering what had occurred.
DePetris reported that the hackers inquired about subjects he was already addressing, such as Japan’s response to North Korea’s military activities.
Another email, posing as a reporter from Japan’s Kyodo News, questioned a 38 North staff member how the war in Ukraine influenced North Korea’s thinking and raised questions regarding U.S., Chinese, and Russian foreign policy.
DePetris stated, “One can only guess that the North Koreans are seeking open opinions from think tanks in order to better comprehend U.S. policy on the North and where it may be headed.”
»North Korean cyberspies deceive foreign experts into doing their studies«