Set your email servers to block N. Korean spies, US officials urge

A North Korean hacking collective is exploiting poorly configured email servers to attack academic institutions, think tanks, journalists, and nonprofit organizations, U.S. agencies warned Thursday.

The group, known as Kimsuky, is using phishing to surreptitiously gain access to organizations’ email domains and masquerade as legitimate users, according to an advisory issued by the State Department, FBI and NSA.

Kimsuky is a cybercrime unit believed to be housed in the DPRK’s military intelligence directorate, known as the Reconnaissance General Bureau, or RGB. It has taken on other names from private-sector cybersecurity researchers, including Emerald Sleet, APT43, and Velvet Chollima.

The phishing messages are sent as malicious emails. Once communication is established between a legitimate user and the disguised hacker, the latter sends follow-up replies containing malign links and attachments that can siphon recipients’ sensitive data.

In one instance, a Kimsuky operative posed as a journalist seeking comment on geopolitical issues related to North Korea. Because of improper configuration, the bogus reporter was able to change the “Reply-to” email address so that the targeted account’s responses would be sent to a North Korean-controlled account.

The exploit is rooted in the Domain-based Message Authentication, Reporting and Conformance, or DMARC, a protocol that gives system administrators the ability to control unauthorized use of email domains to prevent spoofing and phishing attempts.

Certain signs can help targeted orgs spot the sham emails, including typos, awkward English-speaking sentence structure and repeated email text found in previous engagement with other victims, the advisory says. But it also urges institutions to change their DMARC policies, like re-coding configurations to confine messages that don’t match account domains or label them as spam.

North Korea has deployed shadow operatives across the globe who pose as legitimate IT workers, planting themselves into companies to carry out long-haul schemes that fund Pyongyang’s nuclear weapons program. They’ve been able to finance the programs through covert cryptocurrency transactions, and the schemes have paid for some 50% of the DPRK’s missile projects, according to public U.S. assessments.

The Kimsuky entity, in particular, focuses on providing “stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts,” the readout says.

The intelligence-gathering collective has been active since at least 2012, cyber officials have previously stated. 

The Treasury Department in November sanctioned eight North Korean agents that enabled revenue generation for the nation’s nuclear missile activities, as well as Kimsuky, on grounds that the group carried out intelligence-gathering activities in support of Pyongyang’s national interests. 

The nation’s cyber forces have matured and will “continue its ongoing cyber campaign, particularly cryptocurrency heists; seek a broad variety of approaches to launder and cash out stolen cryptocurrency; and maintain a program of IT workers serving abroad to earn additional funds,” a February U.S. intelligence assessment says.