APT43 Group Uses Cybercrime to Fund North Korean Espionage Operations

Date: 29th May 2023

Location: Worldwide

Parties involved: APT43 Threat Actor, North Korea, South Korea, the U.S., Japan, Europe, Mandiant, Google

What happened: Google owned Mandiant has identified a shift threat APT43 method of operation. Manidant has placed a high confidence level that APT43 actions support the interest of North Korea and centre around social engineering and credential harvesting for both financial and espionage purposes.? APT43 had previously concentrated efforts on targeting health related entities and also pharma companies, they have now switched to conduct targeted operations against government, education, research, geopolitical and nuclear think tanks, business services and manufacturing. APT43 have conducted attacks with what have been described as ‘moderately sophisticated technical capabilities’ but using aggressive social engineering methods against South Korean and U.S.-based government organisations, academics, and think tanks focused on Korean peninsula geopolitical issues. It also believed that APT43 has engaged in collaborative efforts with other North Korean operators and on multiple occasions, reinforcing the importance of APT43 in the regime's cyber threat operations strategy. APT43 operate primarily spear phishing attacks which they underpin with spoofed domains and email addresses as part of social engineering attack strategy, these spoof domains are then used for credential harvesting.

APT43 then also used the compromised site to deliver additional malware to additional targets and harvest further credentials. They have also moved into targeting both cryptocurrency and related services in order to launder any illegitimately obtained crypto. The group has chosen to implement publicly available malware such as gh0st RAT, QUASARRAT, PENCILDOWN and AMADEY but it is mainly known for using LATEOP.

Analysis:?

• It is highly likely that APT43 will continue to concentrate on espionage and financial gain operations.It is highly likely that North Korea will remain and become increasingly dependent upon cyber operations. The shift in APT43 method of operation likely shows that it is positioning itself to support these and other operations North Korea will very likely conduct. This change to health related companies and pharma likely shows that APT43 are listening and responding to North Korea requirements.
• It is highly likely that APT43 have shifted operations in order to target entities highly likely to result in large financial gains. The use of sophisticated spear phishing attacks to enter target systems, escalate credentials and advance malware likely shows a long term strategy to produce maximum financial return rather than a ‘quick win’. It is highly likely that a large portion of the proceeds of successful attacks is being returned to North Korean leadership rather than kept within the APR43 reserves.

Recommendations:

• It is recommended that corporate healthcare and pharma entities increase their alertness including ensuring that all software is up to date including patches.
• It is recommended that corporate healthcare and pharma entities conduct immediate briefings, including workshops where necessary, explaining the current threat with particular emphasis on spear phishing attacks and methodology.
• It is recommended that users do not open links of unknown origin especially when shared by social media.
• It is recommended that users do not click on email attachments from unknown sources.
• It is recommended that users do not run or execute unknown files especially if they contain exaggerated filenames.
• It is recommended that any high risk companies engage an outside threat specialist to conduct penetration testing, with an emphasis on social engineering, to highlight problem areas and implement corrective actions and training where required.
• It is recommended that corporate and personal networks are kept up to date with the latest patches and have adequate firewalls and antivirus software scans that are run frequently.?
• It is recommended that system administrators ensure that their virus protection measures are able to recognise and quarantine malware and attacks efficiently.?
• It is recommended that system administrators maintain a heightened alertness and implement additional monitoring of network traffic.

Sources

The Hacker News, 29th March 2023, North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations, https://thehackernews.com/2023/03/north-korean-apt43-group-uses.html

Mandiant - Threat Intelligence Report, March 2023, APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations, https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

This article was written by Richard Flood & Julian Strong.