In a recent joint cybersecurity advisory, the FBI, NSA, and the U.S. Department of State have issued a warning about state-sponsored email hack attacks carried out by APT43, a hacking group associated with the North Korean military intelligence agency. This group, also known as Kimsuky, has been using email authentication bypass techniques to impersonate journalists, researchers, and academics as part of spear-phishing campaigns aimed at providing stolen data and geopolitical insight to the North Korean regime. The attackers target policy analysts and experts in an effort to compromise sensitive information.
The APT43/Kimsuky group is managed by North Korea’s military intelligence 63rd Research Center and has been on the radar of U.S. intelligence agencies since 2012. The primary mission of Kimsuky is to target expert individuals and attain valuable geopolitical insight. Every successful attack carried out by the group helps them craft more sophisticated spear-phishing campaigns aimed at high-value targets. The attackers exploit misconfigured email authentication settings to bypass security measures, allowing them to send malicious emails without being detected.
The attackers exploit misconfigured DMARC records, a security protocol that authenticates the origin of an email message. By taking advantage of DMARC policies that have been left blank or marked with minimal security measures, Kimsuky is able to spoof legitimate email addresses from organizations such as think tanks and higher education institutions. The group creates fake usernames but uses legitimate domain names to enhance the authenticity of the emails they send. This allows them to evade detection and successfully compromise sensitive information.
To mitigate the threat posed by the Kimsuky attacks, the FBI and NSA have advised all email users to update their DMARC security policy. This can be done by configuring the DMARC policy within the email domain’s DNS settings to either quarantine emails that fail testing or reject/block them entirely. This simple action can help prevent these state-sponsored email hack attacks from succeeding by implementing stronger security measures. The FBI and NSA emphasize the importance of taking this step to counter the ongoing threat of spearphishing attacks carried out by the North Korean cyber program.
Cybersecurity experts warn that spearphishing attacks remain a significant part of the DPRK cyber program, with the Kimsuky group continuing to target high-value individuals to gather sensitive information. By providing new insights and mitigation strategies to counter these attacks, the joint cybersecurity advisory aims to raise awareness of the threat posed by state-sponsored hacking groups. It is crucial for individuals and organizations to prioritize cybersecurity measures and stay vigilant against malicious activities that could compromise their data and security. Updating DMARC policies is a simple yet effective way to enhance email security and protect against potential attacks.
