Search This Blog

Powered by Blogger.

Blog Archive

Labels

APT43: Cyberespionage Group Targets Strategic Intelligence

APT43 supports objectives of the North Korean regime, sharing malware and tools with the Lazarus threat actor.


APT43, also known as Kimsuky or Thallium, recently exposed by the Mandiant researchers, is a cyberespionage threat group supporting the objectives of the North Korean regime. By conducting credential harvesting attacks and successfully compromising its targets using social engineering, ATP43 concentrates on gathering strategic intelligence. 

Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency. 

In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus. 

Targets of APT43 

Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic. 

APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies. 

Spear Phishing and Social Engineering Techniques Used by APT 43 

Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing. 

In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials. 

According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file. 

Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine. 

Malware Families and Tools Used 

APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself. 

How can you Protect Yourself from the APT43 Security Threat? 

Here, we have listed some measures that could ensure protection against  malicious APT43 attacks: 

  • Educate users about the social engineering techniques used by APT43 and Archipelago.  
  • Train users to detect phishing attempts and report them immediately to their security staff. 
  • Use security solutions to detect phishing emails or malware infection attempts. 
  • Keep operating systems and software up to date and patched. 

Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.  

Share it:

APT43

Archipelago

Cyber Attacks

Hacker group Kimsuky

Mandiant Threat Intelligence

North Korea

security threat

Spear Phishing

Thallium