Since 2018, a recently identified cyber operative from North Korea has been linked to several targeted efforts to gather strategic intelligence that is in line with the country's geopolitical goals.
Mandiant, a company owned by Google, is monitoring a group called APT43. This group has both financial and espionage motives and uses techniques such as credential harvesting and social engineering.
The attacker's focus on financial gain in their attacks is a strategy to obtain funds that will support their main objective of gathering valuable intelligence.
According to victimology trends, there is a concentration of attacks directed towards South Korea, the United States, Japan, and Europe in various industries including governmental organizations, educational institutions, research centers, policy institutes, business services, and manufacturing sectors.
From October 2020 to October 2021, the individual or group responsible for posing a threat was observed deviating from their expected target by targeting health-related industries and pharmaceutical companies. This demonstrates their ability to quickly switch focus.
According to a comprehensive technical report published on Tuesday by Mandiant researchers, APT43 is an active and productive cyber operator that serves the objectives of the North Korean government.
The team has a blend of moderately advanced technical skills and assertive techniques to influence social behavior, particularly targeted at South Korean and American-based government agencies, scholars, and research institutes that concentrate on geopolitical matters pertaining to the Korean peninsula.
It is believed that APT43's actions are concordant with the Reconnaissance General Bureau, which is North Korea's foreign intelligence agency. This suggests that there may be strategic similarities between APT43 and another hacking group known as Kimsuky (also referred to as Black Banshee, Thallium or Velvet Chollima).
Additionally, the use of tools by RGB has been noted that were traditionally linked to other inferior hostile groups, like the Lazarus Group (also known as TEMP.Hermit).
APT43 launches a series of attacks through spear-phishing emails that are customized to lure in their targets. They send these messages using deceitful and fake identities that pretend to be important figures in the area where the victims are knowledgeable, which helps them gain their confidence.
Another tactic that is utilized by the group is to use contact information obtained from hacked individuals to identify additional targets and pilfer cryptocurrency, which is then used to support their attack operations. To cover up any trace of illicit activity, their stolen digital assets are laundered via cloud mining and hash rental services. Change them into pure digital currency.
The attacks aim to make it easier to collect login details by creating fake websites that look like authentic services. The information obtained is then used to create fake online identities.
According to Mandiant, the fact that North Korean groups, even those previously involved in only cyber espionage, engage in financially-driven activities indicates a broad directive to generate their own funding and maintain their operations without external support.
APT43 carries out its activities by utilizing a vast selection of unique and widely accessible malicious software such as LATEOP, also referred to as BabyShark, FastFire, gh0st RAT, Quasar RAT, Amadey and a form of downloader known as PENCILDOWN which is designed for Android devices but based on the Windows version.
The results were revealed shortly after the German and South Korean government agencies cautioned about Kimsuky launching cyber attacks utilizing deceitful browser extensions to unlawfully acquire access to users' Gmail accounts.
According to a threat intelligence company, APT43 is extremely adaptable to the desires of Pyongyang's officials and continues to operate at a rapid pace.
Even though APT43 is known for performing spear-phishing and acquiring credentials from government, military, and diplomat organizations, their targeting and tactics can change depending on who their sponsors are. This includes engaging in cybercrime activities that are financially motivated. It should be provided on an as-needed basis to back up the government.