North Korean APT43 uses cybercrime to support cyber-espionage operations

North Korean APT43 uses cybercrime to support cyber-espionage operations

Cybersecurty firm Mandiant has shed some light on cyber activities of a new espionage group it tracks as APT43 that has been targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea since 2018.

The threat actor is said to have ties with the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service. In past public reports some of the group's operations have been referred to as Kimsuky and Thallium.

Mandiant says that APT43 is a moderately-sophisticated threat actor that uses cybercrime to fund its espionage efforts.

“APT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods of time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus,” the report reads.

APT43’s most common attack method is using tailored spear-phishing emails to gain access to their victim’s information. The group also uses spoofed websites designed to steal credentials. While APT43 maintains a high tempo of activity and is prolific in its phishing and credential collection campaigns, the researchers said they didn’t observe the group exploiting zero-day vulnerabilities.

“Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other country’s foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions,” Mandiant notes.

Back to the list

Latest Posts

Russia-linked espionage operation targeting webmail servers via XSS flaws

Russia-linked espionage operation targeting webmail servers via XSS flaws

The campaign exploits XSS vulnerabilities in widely used webmail servers to steal sensitive data from high-value targets.
15 May 2025
Kosovo man extradited to US for running BlackDB.cc criminal marketplace

Kosovo man extradited to US for running BlackDB.cc criminal marketplace

If convicted on all counts, Masurica faces up to 55 years in federal prison.
14 May 2025
Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Microsoft shipped patches for over 70 flaws, five of which have been flagged as actively exploited zero-day bugs.
14 May 2025