A new cyber-espionage group, dubbed APT43, has been attributed to a series of attack campaigns aimed at gathering strategic intelligence that aligns with Pyongyang’s geopolitical interests since 2018. However, the group’s motives are not only espionage-related but are also financially motivated. APT43 has been employing sophisticated techniques such as credential harvesting and social engineering to further its objectives and is known for focusing on specific geographical areas and sectors.
APT43’s targeting is focused on South Korea, the US, Japan, and Europe. The group’s targets span various industries including government, education, research, policy institutes, business services, and manufacturing sectors. However, it primarily targets entities related to its mission of gathering strategic intelligence that could serve the interests of the North Korean government.
The findings reveal that APT43’s activities are aligned with the Reconnaissance General Bureau (RGB), North Korea’s foreign intelligence agency. It also indicates tactical overlaps with another hacking group dubbed Kimsuky (also known as Black Banshee, Thallium, or Velvet Chollima), which has been known for carrying out cyber espionage campaigns since 2012.
Tactics employed by APT43
APT43 is known for using spear-phishing emails containing tailored lures to entice victims. The group also leverages contact lists stolen from compromised individuals to identify more targets and steals cryptocurrency to fund its attack infrastructure. The prevalence of financially motivated activities among North Korean hacking groups, including APT43, indicates a widespread mandate to self-fund and an expectation to sustain themselves without additional resourcing.
Warning by Government Agencies
Last week, German and South Korean government agencies warned about cyberattacks mounted by Kimsuky using rogue browser extensions to steal users’ Gmail inboxes. This warning proves that North Korean hacking operators have been actively employing advanced tactics in their efforts to achieve their objectives.
Flexibility in Tactics and Targets
APT43 is known to modify its targeting and tactics, techniques, and procedures based on its sponsors’ requirements, including carrying out financially motivated cybercrime to support the regime. The use of cryptocurrency to fund the attack infrastructure enables APT43 to operate without financial constraints, expanding its potential targets and increasing the severity of attacks.
The emergence of APT43 highlights the increasing danger of cyber espionage and cybercrime in response to global geopolitical issues. APT43’s focus on financial gain as well as strategic intelligence gathering, coupled with their advanced tactics, poses a severe threat to organizations worldwide. To mitigate the potential impact of North Korean hacking groups, organizations should focus on implementing advanced security measures, enhancing employee cybersecurity training, and network segmentation to prevent any unauthorized lateral movement.
