Group cyber crime north Korean intensifies the efforts of espionage

Posted by

The operator, also known as Kimsuky, Thallium and Konni, has attacked companies in sectors including education, government, media, research and other activities. According To Proofpoint, TA406 it is the most closely associated with the activities of Kimsuky, of the three that the company yet the track as actors of threats distinguished: TA408, TA406 and TA427.

The company stated that its analysts have tracked the ads TA406 be passed on to consumers by 2018, but the number of these campaigns has remained minimal until the beginning of January 2021. During the first half of the year, Proofpoint has noticed attacks weekly against journalists, experts, foreign policy, and non-governmental organizations (NGOS), in particular those relating to actions affecting the Korean peninsula. Journalists and academics have been attacked.

TA406 took aim at the figures at the highest political level at many institutions of the government, a consulting company, the institutions of the defence forces of law and order and economic and financial groups, as part of a campaign of march 2021. Most of the objectives of TA406 are in North America, China and Russia.

The operator is known to be active since 2012. Although they usually do not use malware in its operations, the espionage activities observed in the 2021 have been marked by the use of malware that collection of credentials.

Amadey, BabyShark, Android Moez, FatBoy, CARROTBAT/CARROTBALL, SANNY, KONNI and YoreKey are among the families of malware used. It also seems that they have been used NavRAT and QuasarRAT. According to security experts, TA406 was involved in attacks on financial, such as sextortion, and the targeting of bitcoin, just like other actors sponsored by the state to north korea.

Proofpoint believes that TA406 to act on behalf of the north Korean government, weighing in on this idea a great confidence and probability. According to Proofpoint, this group of the attacker will continue to perform regular operations of theft of corporate identity, targeting mainly the companies that are relevant to the north Korean government.

“TA406 uses its infrastructure, recorded and controlled to host Web pages for the acquisition of credentials and malicious documents, and a limited number of legitimate websites and compromises, as the infrastructure. TA406 using e-mail account, Gmail and Yandex Mail[.]ru masked by government agencies or non-profit legitimate to deploy the decoys. TA406 also uses tools to send personalized messages as a Star and a tool PHPMailer PHP-based. TA406 using the URL in the phishing e-mail that link to the delivery service e-mail SendGrid, which redirects to a domain controlled by an attacker that is hosting the malicious payload or a page to gather credentials. SendGrid is an email marketing platform that is used for legitimate business purposes and is often entitled to bypass the security filters of the e-mail; many actors of the threats that use this type of redirect behavior in order to appear legitimate, citanto the report Proofpoint.

Operators have pretended to be Russian diplomats, academics, and individuals koreans, among other false identities. For example, Proofpoint said to have observed TA406 by the end of 2020 to early 2021 impersonate Eunjung Cho, a reporter for Voice of America based in Washington, d.c., and Tomas Jimy as an academic researcher.

The chain of the first embodiment and the differences with TA427

Actors north koreans continue to evolve

Actors sponsored by the state of North Korea continue to take aim at the organizations critical all over the world. Recently, security experts at Kaspersky have discovered the last two campaigns of the attack on the supply chain of the group of hackers north Korean – Lazarus. The attackers have gained access to the network of a provider of security software south Korean to take advantage of the software company and a supplier of products for the monitoring of IT resources with offices in Latvia, implementing the backdoor Blindingcan and Copperhedge.

Want to comment on? Turn on the discussion