North Korean state-sponsored hackers have been impersonating leading researchers to aid their information-gathering activities. The cybercriminals pose as researchers from think tanks to commission reports into aspects of US, Chinese and Russian foreign policy, it has been revealed.
Notorious North Korean hacking gang Kimsuky, also known as Thallium has been spearheading the information-gathering campaign according to researchers from Microsoft.
Kimsuky: North Korean hackers impersonate researchers to gather nuclear information
Members of Kimsuky are apparently impersonating researchers at think tanks to commission reports on areas of interest for the North Korean government from subject matter experts.
Popular issues referenced by the gang include China’s reaction in the event of a nuclear test and whether a quieter approach to North Korean aggression might be warranted.
The campaign began in January and has since been lucrative. “The attackers are having a ton of success,” said James Elliott of the Microsoft Threat Intelligence Centre (MSTIC). Speaking to Reuters, Elliott added that “the attackers have completely changed the process”.
The MSTIC has identified several North Korean experts who provided information to a Kimsuky attacker account. The researchers targeted by the gang are influential in shaping foreign policy concerning North Korea in countries around the world.
“Attackers are getting information directly from the horse’s mouth,” Elliott said. “They don’t have to sit there and make interpretations because they’re getting it directly from the expert.”
In some cases, criminals can engage with experts for months as they gather the information they need. They use spoofed emails which resemble those of research institutions.
US-based foreign affairs analyst Daniel DePetris told Reuters he received realistic emails from the gang, as though a researcher was asking him for a paper submission or comments on a draft. “They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry was legitimate,” he explained.
A few weeks after receiving that email, another hacker started to impersonate him, asking fellow researchers to look at a draft, he said. In that email the hackers were offering $300 to review a manuscript about North Korea’s nuclear programme purportedly written by DePetris, asking for recommendations for other reviewers.
Kimsuky continues its cyberespionage activities
Kimsuky, or Thallium, has long been on the radar of Western governments. North Korea is well known for using cyber espionage gangs to circumnavigate sanctions, in an effort to source valuable information and steal millions of dollars worth of cryptocurrencies.
The FBI and CISA have released warnings about the gang in the past, with Kimsuky having been active since 2012. Its favoured tactic is usually spearphishing, where gang members would gather enough intelligence about a specific, targeted individual to mine them for information or money, normally with the use of social engineering.
The gang’s most recent campaign was a widespread cyber espionage mission targeting Android phones in South Korea, Japan and the US. In October it was revealed that Kimsuky was targeting individuals and companies across the public and private sectors.
Earlier this year a breach of a South Korean nuclear research institute called the Korean Atomic Energy Research Institute (KAERI) was also revealed to have been carried out by the hackers. “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest breach,” KAERI said in a statement.