Threat hunters at Mandiant have uncovered yet another North Korean hacking group that is funding its cybercrime operations to support espionage campaigns against South Korean and U.S.-based government organizations. The Google-owned incident response forensics firm has flagged the group as APT43 and warns that it is a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime.”
A new report from Mandiant explains that the group’s cyberespionage campaigns involve gathering strategic intelligence that is aligned with North Korea’s geopolitical interests, harvesting credentials and social engineering to support espionage activities, and engaging in financially-motivated cybercrime to fund operations. Mandiant also notes that the group’s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service.
To carry out its campaigns, APT43 employs spear-phishing campaigns, spoofed domains and email addresses as part of its aggressive social engineering tactics. The group also uses domains masquerading as legitimate sites for credential harvesting operations. However, Mandiant says that the group does not appear to be using exploits for zero-day vulnerabilities.
Mandiant’s researchers also point out that APT43 maintains a high tempo of activity and is highly proficient in its phishing and credential collection campaigns. The ultimate aim of APT43’s campaigns is most likely centered around supporting North Korea’s weapons program. This includes gathering intelligence on international negotiations, sanctions policy, and other countries’ foreign relations and domestic politics that may affect North Korea’s nuclear ambitions.
In conclusion, Mandiant’s report warns that APT43 is targeting organizations in South Korea, the United States, Japan, and Europe. It is imperative for organizations to be aware of the threats posed by this group and to take proactive steps to protect their networks.
Key Points:
• Mandiant has uncovered a North Korean hacking group responsible for funding its cybercrime operations to support espionage campaigns.
• The group, APT43, is a “moderately-sophisticated cyber operator” that supports the interests of the North Korean regime.
• APT43’s cyberespionage campaigns involve gathering strategic intelligence, credential harvesting, and social engineering.
• The group also engages in financially-motivated cybercrime to fund operations.
• The ultimate aim of APT43’s campaigns is centered around supporting North Korea’s weapons program.
• Organizations should be aware of the threats posed by this group and take proactive steps to protect their networks.