29 March 2023

North Korean APT43 uses cybercrime to support cyber-espionage operations


North Korean APT43 uses cybercrime to support cyber-espionage operations

Cybersecurty firm Mandiant has shed some light on cyber activities of a new espionage group it tracks as APT43 that has been targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea since 2018.

The threat actor is said to have ties with the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service. In past public reports some of the group's operations have been referred to as Kimsuky and Thallium.

Mandiant says that APT43 is a moderately-sophisticated threat actor that uses cybercrime to fund its espionage efforts.

“APT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods of time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus,” the report reads.

APT43’s most common attack method is using tailored spear-phishing emails to gain access to their victim’s information. The group also uses spoofed websites designed to steal credentials. While APT43 maintains a high tempo of activity and is prolific in its phishing and credential collection campaigns, the researchers said they didn’t observe the group exploiting zero-day vulnerabilities.

“Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other country’s foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions,” Mandiant notes.

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024