In a recent statement, the CSA said a North Korean cyber actor may be trying to gather US intelligence information.
What happened
On May 2nd, the Joint Cybersecurity Advisory (CSA), consisting of the Federal Bureau of Investigation, the U.S. Department of State, and the National Security Agency, issued an alert to highlight threat actor Kimsuky.
Kimsuky, also known as Emerald Sleet or APT43, is a subunit of the North Korean military’s Reconnaissance General Bureau (RGB), which aims to gather information on issues that could impact North Korea.
The advisory determined that Kimsuky is conducting spearphishing campaigns–emails sent by a malicious actor posing as a trusted individual in order to gather information related to geopolitics or foreign policy strategies. Currently, the actors are posing as legitimate journalists, academics, and other experts with links to North Korean policy. Data is being collected with the goal of strengthening North Korea’s regime.
Going deeper
According to the cyber alert, Kimsuky is able to send emails to organizations that do not have a DMARC policy enabled. DMARC is an email security protocol that authenticates email messages to ensure they are sent from a legitimate domain. When it’s not enabled, the email server likely will not mark it as junk and it can appear legitimate.
The emails themselves generally ask questions related to the US’s stance towards North Korea. The sender will appear legitimate and the emails tend to contain some, but limited, spelling and grammar errors.
Other red flags include:
- Innocuous initial emails followed by communication containing malicious links or documents
- Email content including past messages from previous victims
- Awkward sentence structure or grammar
- Targeting victims with direct or indirect knowledge of policy related to North Korea
- Malicious documents that require users to “Enable Macros”
- Follow up emails
- Emails sent purporting to be from official services but coming from unofficial email services.
What’s next
To help reduce the threat, the CSA is advising organizations to ensure they are implementing DMARC security policies.
They are also recommending organizations follow the CISA’s Cross-Sector Cybersecurity Performance Goals, which provide a number of security policies and procedures organizations can implement to protect data.
The big picture
While threats like this can be difficult for recipients to identify, especially if they are unaware of Kimsuky’s intelligence-gathering attempts, it’s far from impossible.
Threats like these can be avoided by implementing strong security measures, including DMARC policies and as many performance goals as possible.
On top of this, Paubox’s email security suite can prevent spoofing and allow emails to be scanned for suspicious information. For companies that utilize Paubox, employees don’t have to worry about keeping up with the latest cybersecurity trends or risk exposing data.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
