Cybersecurty firm Mandiant has shed some light on cyber activities of a new espionage group it tracks as APT43 that has been targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea since 2018.
The threat actor is said to have ties with the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service. In past public reports some of the group's operations have been referred to as Kimsuky and Thallium.
Mandiant says that APT43 is a moderately-sophisticated threat actor that uses cybercrime to fund its espionage efforts.
“APT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods of time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus,” the report reads.
APT43’s most common attack method is using tailored spear-phishing emails to gain access to their victim’s information. The group also uses spoofed websites designed to steal credentials. While APT43 maintains a high tempo of activity and is prolific in its phishing and credential collection campaigns, the researchers said they didn’t observe the group exploiting zero-day vulnerabilities.
“Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other country’s foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions,” Mandiant notes.