Heimdal
article featured image

Contents:

A new North Korean cyber operator has been attributed to a series of attacks conducted to gather strategic intelligence aligned with the state’s geopolitical interests.

Security researchers, which are tracking the threat group’s activity under the moniker APT43, believe that the group’s main purpose is espionage, but its attacks are also financially-motivated. The monetary angle is an attempt by the threat actors to generate funds to meet its primary mission of collecting strategic intelligence.

Who Is APT43 Targeting?

As reported by The Hacker News, targeting appears to be concentrated on South Korea, the U.S., Japan, and Europe, spanning the sectors of government, education, research, policy institutes, business services, and industry, according to victimology trends. The threat actors were also observed straying off course sometimes, such as for example from October 2020 through October 2021 when they targeted companies in pharma and health-related sectors.

The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.

Source

APT43’s activities are said to align with North Korea’s foreign intelligence agency, Reconnaissance General Bureau (RGB), indicating tactical overlaps with another hacking group faithful to the Pyongyang regime, dubbed Kimsuky (aka Black Banshee, Thallium, or Velvet Chollima)

Tactics and Tools Used by the Group

APT43 uses spear phishing emails with customized baits to recruit victims into their attack chains. To acquire the target’s trust, these messages are conveyed utilizing spoofs and fake identities that pose as influential figures in the target’s field of expertise.

It’s also known to use compromised victims’ contact lists to find other targets and steal cryptocurrencies to pay for its attack infrastructure. After being converted into clean cryptocurrency, the stolen digital assets are subsequently cleaned utilizing hash rental and cloud mining services to obfuscate the forensic trace.

According to Mandiant, a wide arsenal of both proprietary and publicly accessible malware, including LATEOP (also known as BabyShark), FastFire, gh0st RAT, Quasar RAT, Amadey, and an Android variant of a Windows-based downloader called PENCILDOWN, is used to carry out APT43’s operations.

Mandiant released a report on APT43, which is available for download here.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE