Who is that stealing my credentials?
Dave Bittner: Hello, everyone, and welcome to the CyberWire's research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Aleksandar Milenkoski: So through our collaboration with NK News, we got the opportunity to take a look at the emails, analyze the malicious activities, and basically scope the overall campaign that was going on at that time.
Dave Bittner: That's Aleksandar Milenkoski, senior threat researcher at Sentinel Labs. The research we're discussing today is titled "Kimsuky Strikes Again." New Social Engineering Campaign aims to steal credentials and gather strategic intelligence.
Aleksandar Milenkoski: We collaborate with NK News and NK Pro. So just a little bit context for the listeners. NK News and NK Pro is a prominent news and analysis outlet on North Korean affairs, which collaborates with experts in North Korean affairs and publishes detailed reports on North Korea to its subscription base. So the campaign that we talked about in our research is basically a social engineering campaign done via email correspondence that was targeting experts in North Korean affairs and members of NK Pro. It is a subscription service of NK News. So through our collaboration with NK News, we got the opportunity to take a look at the emails, analyze the malicious activities, and basically scope the overall campaign that was going on at the time.
Dave Bittner: Well, before we dig into the specific campaign here, can you share with us what do we know about Kimsuky?
Aleksandar Milenkoski: Sure. So Kimsuky is a north Korean nexus threat actor that's been active since at least 2012. The group in overall, in general, is known for a lot of badness, like primarily conducting targeted social engineering and spear phishing campaigns by impersonating relevant individuals. In general, the group's goal is to collect strategic intelligence, for example, on geopolitical affairs, foreign policy developments, and so on, primarily done through credential, theft, and delivery of Malda. One prominent characteristic of the group is that it's consistently active and it's very persistent as well, and it dedicates a lot of time and effort in conducting its campaigns.
Dave Bittner: How would you rate their sophistication?
Aleksandar Milenkoski: Kimsuky is very active and very persistent. So it's very thorough in conducting its social engineering campaigns. Right. This means also planning who is sending the mail, the tone of the emails. And one of their characteristics is really first establishing trust and rapport with the victims. And the initial communication usually does not contain any malicious artifacts. At least that was the case in the campaign that we discussed in our latest research. However, they use every available opportunity during the correspondence to deliver either weaponized documents or malicious links and whatnot. So from that perspective, from the social engineering perspective, I would say that they are very, very persistent and very active. That very delegated on that front.
Dave Bittner: Well, let's walk through this particular campaign. How does it begin? What's the initial contact like?
Aleksandar Milenkoski: Right? So what we observed in general is primarily a social engineering campaign done via email correspondence. Again that was targeting experts in North Korean affairs and members of NK Pro, the subscription service of NK News. So the overall campaign was done via email. The social engineering attacks involved mainly two types of activities. So they were contacting experts in North Korean affairs, sending draft Google documents for the experts to review. And the other vector, they were sending requests for resetting accounts to NK Pro membership, basically leading or luring members to malicious websites that capture entered credentials. When it's focusing on the correspondence with the targeted experts in North Korean affairs. As I mentioned before, the hallmark of this activity is that the attackers focused on establishing, on first establishing trust or rapport with the victims, and the initial communication did not contain any malicious ad.
Dave Bittner: The email that you all share in your research here is quite interesting. You know, they're reaching out to people and asking for them to share their expertise on the NK nuclear threat. So really, I guess touching a bit of the victim's ego to start with.
Aleksandar Milenkoski: Well, the individuals that were targeted were experts in those affairs, right? So maybe some further context for the listeners. NK Pro, that is the subscription service of NK News, collaborates with such experts in North Korean affairs and publishes detailed reports on North Korea to its subscription base. As I mentioned before, Kimsuky is very dedicated to social engineering campaigns. So the way that they targeted the individuals was consistent with what, with the usual things or activities that the targeted individuals are usually involved in.
Dave Bittner: So they're using some custom domains here to make it appear as though their correspondence is coming from NK Pro?
Aleksandar Milenkoski: Sure. So they basically used email domains that were mimicking legitimate domains. And also when it comes to capturing credentials or stealing credentials, they also used websites that they constructed and they mimic legitimate domains specifically of the NK Pro subscription service.
Dave Bittner: So you mentioned that they're very deliberate about establishing rapport with their victims here, and that there could be several emails that go back and forth before they actually send a malicious file. Can you walk us through that? I mean, at what point do they actually drop that malicious file?
Aleksandar Milenkoski: So that depends on how the conversation goes, right? So as I mentioned, they first try to establish rapport, for example, to the experts. They send Google, draft Google documents for them to review. If they notice that the target engages in the conversation, right after some time they attempt to deliver payload. One interesting thing to note about Kimsuky is that if they notice that the email correspondence slowed down or has died out, they tend to send also reminders. So that aligns with the persistency that I mentioned a few moments ago.
Dave Bittner: Yeah. What is the payload that they ultimately send?
Aleksandar Milenkoski: So from a technical perspective, they had two goals, right? The first goal is test of Google email and NK Pro subscription credentials to impersonation of legitimate login sites. So these malicious sites, in the context of the emails that were in the form of links on which the victim should click, these malicious sites were constructed to capture entered credentials, basically and transport them back to the threat actors. The second goal from a technical perspective was delivery of known Kimsuky reconnaissance malware. Now, the thing about this reconnaissance malware is that it enables further precision attacks, whether that could be through custom tail load malware or some exploits that the threat group has its own position and whatnot down the line.
Dave Bittner: So what are your recommendations then for organizations to best protect themselves here?
Aleksandar Milenkoski: Right. So all the measures for protecting against social engineering attacks, I would say they apply here as well. One thing is verifying the legitimacy of emails, of course. This involves usually examining the sender's email origin by investigating email headers. But even going beyond that, like evaluating the language used, the overall style and tone of the email correspondence. For example, if the sender is insisting on downloading a document or clicking on a given link, this should be enough to raise suspicion. Note that Kimsuky is known for reminding victims, as I mentioned earlier, to do this if they see that the correspondence has slowed down. Going further, proper email or account security, of course. So MFA or multiple factor authentication is definitely a must. We at Sentinel Labs recommend adopting what we call attack resilient MFA techniques, right? Such as the use of hardware tokens in favor of some lesser QMFA such as SMS messages or push notifications. Threat actors these days are known to evade SMS messages or push based notification MFA authentication. And finally, I mean, for the specifically targeted individuals, it is also important to report suspicious activities to the authorities. The NSA report which was discussing this activity on a broader scale, provides instructions how to do this regarding Kimsuky activity specifically.
Dave Bittner: It seems to me like this really is a reminder of how your email account, which in this, you know, case flows through these folks Google accounts. I mean, it really is the key to everything. So much goes through there. If someone gains access to your email account, there's just so much they can do.
Aleksandar Milenkoski: Exactly. So we covered before the technical goals of the campaign, right? But the technical goals always translate to rather strategic or nontechnical goals. Right? So in a way, by gaining access to the email inboxes of the targeted experts and not Korea, the attackers can access their email correspondence, which provides intelligence to Kimsuky on its own. I would say, for example, Kimsuky is known to deploy kind of auto focuses of incoming emails to their own email addresses so in a way, that gives them real time insight into email correspondence. But also not important not to forget is that access to victims' email inboxes also enable Kimsuky to possibly impersonate the affected victims in further attacks. So this thing can propagate as well. We also mentioned that the targeted credentials to the subscription content of NK Pro, so by gaining access to the subscription content of NK Pro, Kimsuky in a way has a direct insight into how the western world perceives the ongoing developments in North Korea. So all of this, in a way, I would say builds up the North Korean strategic intelligence. [Music] Which ultimately guides North Korean authorities in the process of fine tuning or further developing, if you wish, their overall strategy on a long term basis. Well, midterm short term basis as well.
Dave Bittner: Our thanks to Aleksandar Milenkoski from SentinelOne for joining us. The research is titled "Kimsuky Strikes Again." New Social Engineering Campaign aims to steal credentials and gather strategic intelligence. We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday podcast is a production of N2K Networks proudly produced in Maryland out of the startup studios of Data Tribe, where they're cobuilding the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.