Names | APT43, Kimsuky, Thallium |
Location | North Korea |
Date of initial activity | 2018 |
Suspected attribution | State-sponsored, Reconnaissance General Bureau (RGB) |
Motivation | Credential harvesting, Espionage |
Associated tools | VINETHORN, PINEFLOWER, TABBYCAT, VBREVSHELL, TAMECAT, POWERPOST, BROKEYOLK, CHAIRSMACK, GHAMBAR, MAGICDROP, DOSTEALER, SILENTUPLOADER |
Overview
APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.
In addition to its espionage campaigns, Mandiant believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.
Common targets
Targeting is regionally focused on South Korea and the U.S., as well as Japan and Europe, especially in the following sectors: government, education/research/think tanks focused on geopolitical and nuclear policy, business services, manufacturing.
Attack Vectors
Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations. Their most frequently observed operations are spear-phishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics. Domains masquerading as legitimate sites are used in credential harvesting operations.
How they work
APT43 most commonly leverages tailored spear-phishing emails to gain access to victim information. However the group also engages in various other activities to support collecting strategic intelligence, including using spoofed websites for credential harvesting and carrying out cybercrime to fund itself. The actors regularly update lure content and tailor it to the specific target audience, particularly around nuclear security and non-proliferation.
APT43 is adept at creating convincing personas, including masquerading as key individuals within their target area (such as security and defense), as well as leveraging stolen personally identifiable information (PII) to create accounts and register domains.
APT43 uses highly relevant lure content together with spoofed email addresses. APT43 also leverages contact lists stolen from compromised individuals to identify additional targets for spear-phishing operations.
APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, reducing fiscal strain on the central government.