New methods North Korea’s Cyber Spies
2022.12.12 03:23
New methods North Korea’s Cyber Spies
Budrigannews.com – It appeared as though everything was going according to plan when U.S. – based foreign affairs analyst Daniel DePetris received an email in October from the director of the 38 North think tank requesting an article.
The shipper was really a thought North Korean government operative looking for data, as indicated by those included and three online protection specialists.
The sender appeared to be attempting to elicit his thoughts on North Korean security issues by posing as 38 North director Jenny Town, rather than infecting his computer and stealing sensitive data, as hackers typically do.
More Iran continues to execute protesters
DePetris told Reuters, referring to Town, “I realized it wasn’t legit once I contacted the person with follow-up questions and found out there was, in fact, no request that was made, and that this person was also a target.” As a result, I quickly realized that this was a widespread campaign.”
According to cybersecurity experts, five targeted individuals, and emails reviewed by Reuters, the email is part of a new campaign by a suspected North Korean hacking group that hasn’t been reported before.
Researchers have dubbed the hacking group Thallium or Kimsuky, among other names. It has been using “spear-phishing” emails for a long time to trick targets into giving up passwords or clicking on malware-laden attachments or links. However, it now appears to merely solicit reports or opinions from researchers or other experts.
Reuters reviewed emails and found that China’s response in the event of a new nuclear test was one of the other topics discussed; and whether North Korean “aggression” might be warranted for a “quieter” approach.
James Elliott of Microsoft (NASDAQ:) stated, “The attackers are having a ton of success with this very, very simple method.” The Threat Intelligence Center (MSTIC) added that the brand-new strategy first surfaced in January. The process has been completely altered by the attackers.”
According to MSTIC, a Thallium attacker account has received information from “multiple” North Korean experts.
According to cybersecurity researchers, the experts and analysts targeted by the campaign have an impact on public opinion worldwide and foreign policy toward North Korea.
Thallium “is most likely tasked by the North Korean regime with a global intelligence gathering mission,” according to a 2020 report from U.S. government cybersecurity agencies.
According to Microsoft, Thallium has historically targeted think tanks, academics, human rights organizations, and government employees.
Elliot stated, “The attackers are getting the information directly from the horse’s mouth, if you will, and they are not having to sit there and make interpretations because they are getting it directly from the expert.”
Attacks against Sony (NYSE:) that net millions of dollars are well-known to North Korean hackers. Pictures over a movie that was seen as disrespectful to its leader and as a data thief who stole data from pharmaceutical and defense companies, foreign governments, and other people.
Although it has denied being involved in cybercrime, the North Korean embassy in London did not respond to a request for comment.
According to Saher Naumaan, principal threat intelligence analyst at BAE Systems (OTC:), in other attacks, Thallium and other hackers have spent weeks or months establishing trust with a target before sending malicious software. Intelligence in Practice.
Microsoft, on the other hand, claims that the group now talks to experts in some cases without ever sending malicious files or links until the victims respond.
According to Elliot, this strategy allows the spies direct access to the experts’ thinking, bypasses traditional technical security programs that would scan and flag a message with malicious elements, and can be quicker than hacking someone’s account and going through their emails.
He said, “For us as defenders, it’s really, really hard to stop these emails,” adding that most of the time, the recipient will figure it out on their own.
Town claimed that some messages purporting to be from her had copied her entire signature line but used an email address beginning with “.live” rather than her official account, which begins with “.org.”
She claimed that she was a part of a bizarre email exchange in one instance in which the alleged attacker, posing as her, replied to her.
More British royal should stay away from Russian Embassy-Russian Ambassador
The emails that DePetris, a fellow at Defense Priorities and a columnist for a number of newspapers, said he had received were written as if a researcher were requesting comments on a draft or a submission of a paper.
He stated, “They were quite sophisticated, with logos from think tanks attached to the correspondence to give the impression that the inquiry is legitimate.”
DePetris stated that a separate hacker posed as 38 North and emailed other individuals to review a draft approximately three weeks after receiving the forged email.
DePetris shared that email with Reuters. In it, he offers $300 for reviewing a manuscript about North Korea’s nuclear program and requests suggestions for additional potential reviewers. According to Elliot, the hackers never intended to pay anyone for their research or responses.
One security source in Seoul, who spoke on condition of anonymity to discuss intelligence matters, told Reuters that Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns as North Korea’s isolation has deepened due to sanctions and the pandemic. Although impersonation is a common method used by spies worldwide,
A panel of experts looking into North Korea’s evasion of U.N. sanctions listed Thallium’s efforts as one of the activities that “constitute espionage intended to inform and assist” the country’s sanctions avoidance in a March 2022 report.
According to Town, before the attackers realized what had happened, analysts had provided comprehensive reports or manuscript reviews, and in some instances, the attackers had commissioned papers.
According to DePetris, the hackers questioned him regarding issues he was already working on, such as Japan’s response to North Korea’s military activities.
Another email, purporting to be from a reporter for Kyodo News in Japan, posed questions about U.S., Chinese, and Russian policies and asked 38 North Korean employees how they thought the war in Ukraine affected their thinking.
According to DePetris, “one can only speculate that the North Koreans are trying to get candid views from think tankers in order to better understand U.S. policy on the North and where it may be going.”
