North Korea has been running state-sponsored cyber attacks targeting research centers and think tanks, academic institutions, and news media organizations in the United States and other targeted nations through social engineering. This was recently revealed by the Federal Bureau of Investigation (FBI), the US Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA). According to information, cyber actors in the Democratic People’s Republic of Korea (DPRK which also is known as North Korea are known to conduct spear-phishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.
North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. The Governments of the United States and the Republic of Korea (Also known as ROK or South Korea) have observed sustained information-gathering efforts originating from these North Korean cyber actors. North Korea’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities.
We assess the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability.
Currently, the US and ROK Governments, and private sector cyber security companies, track a specific set of DPRK cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to an element within North Korea’s RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012. Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime.
Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts.
However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts. Further, successful compromises enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against more sensitive, higher-value targets. The authoring agencies believe that raising awareness of some of these campaigns and employing basic cyber security practices may frustrate the effectiveness of Kimsuky spear-phishing operations. This advisory provides detailed information on how Kimsuky actors operate; red flags to consider as you encounter common themes and campaigns; and general mitigation measures for entities worldwide to implement to better protect against Kimsuky’s CNE operations.