Alert on Spoofed Emails by North Korean Hackers

The U.S. government issued a cybersecurity advisory, warning about North Korean hackers sending emails that appear to come from trusted sources.

The advisory, jointly released by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State, highlights the threat posed by North Korean actors using spear-phishing campaigns to gather intelligence on geopolitical events, foreign policy strategies, and other information relevant to North Korea’s interests. These campaigns involve gaining unauthorized access to targets’ private documents, research, and communications.

The hackers exploit misconfigured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to disguise their social engineering efforts. This allows them to send emails that look like they are from legitimate email servers of trusted domains.

The North Korean activity cluster responsible for these attacks is known as Kimsuky (also referred to as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima). This group is linked to the Reconnaissance General Bureau (RGB) and is a sister collective to the infamous Lazarus Group.

According to a report, Kimsuky began using this method in December 2023. Their primary targets are foreign policy experts, whose opinions they seek on nuclear disarmament, U.S.-South Korea policies, and sanctions. The hacking group is adept at social engineering, engaging targets in prolonged, benign conversations to build trust. They often use aliases impersonating DPRK subject matter experts from think tanks, academia, journalism, and independent research.

Kimsuky rarely sends malware or credentials harvesting tools directly. Instead, they often request targets to share their thoughts via email or formal research papers, fulfilling their intelligence needs through direct requests rather than infections.

The researchers also pointed out that many entities targeted by Kimsuky had not enabled or enforced DMARC policies, allowing spoofed emails to bypass security checks. Kimsuky has been observed using free email addresses that spoof the same persona in the reply-to field, further convincing targets of their legitimacy.

In one highlighted instance, the hackers posed as a journalist seeking an interview about North Korea’s nuclear plans. They informed the target that their email account would be temporarily blocked and asked them to respond to a fake personal email account, increasing the likelihood of a successful phishing attempt.

Organizations are advised to update their DMARC policies to treat emails failing the checks as suspicious or spam, and to receive aggregate feedback reports by setting up an email address in the DMARC record.

To prevent falling victim to these sophisticated spear-phishing attacks, organizations should implement strict DMARC policies to ensure emails that fail authentication checks are marked as suspicious or spam. Additionally, employee training on recognizing phishing attempts and the importance of verifying email sources can significantly reduce the risk. Regularly updating and patching email security systems, combined with multi-factor authentication, can further enhance protection against these threats.