Research Saturday 4.20.24
Ep 326 | 4.20.24

The art of information gathering.


Dave Bittner: Hello, everyone. And welcome to the CyberWire's research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Greg Lesnewich: So this group is, to be totally honest with you, one that I inherited and has been tracked in, you know, our space. Call it the vendor threat research space. Since roughly 2017, but probably going back further than that.

Dave Bittner: That's Greg Lesnewich, senior threat researcher at Proofpoint. The research we're discussing today is titled "From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering." [ Music ]

Greg Lesnewich: And you can sort of think about it as the west team or the cluster of activity offered, you know, from the Kim [inaudible 00:01:17] umbrella if we want to use that term that targets people like policy experts that work either in government or for NGOs or think tanks and they send a lot of phishing emails to those people. And so they've been around for a long time. We observed some changes in their tactics and in their targeting and that led to the blog saying, "Hey, we think we've seen, you know, enough of a change that we should alert the general public." And part of that comes from the fact that they tend to target a lot of personal addresses and groups and companies that don't necessarily have the most mature or high end security programs. And so sometimes getting information out to alert the, you know -- that sort of policy and think tank and North Korean watching space can be the best thing to help prevent this group from being successful in their operations.

Dave Bittner: And you mention North Korea. I mean we're fairly confident in saying here that this is an operation from them?

Greg Lesnewich: Yes. A big portion of that comes from U.S government attribution of previous things that we've tracked at this -- from this cluster. I would say that there is consensus among those that track North Korean activity full time that this is also North Korea.

Dave Bittner: I see. Well, let's talk about what their particular interests are here. I mean who are the kinds of people that they're targeting?

Greg Lesnewich: The kinds of people that they're targeting I think can really be well described by the kind of people they spoof because the kind of people they spoof tend to be very well known North Korean watchers, if that's, you know, a term that rings a bell for anybody. And they'll spoof sort of prominent people in the North Korean sort of policy space and not people in North Korea doing policy, but particularly people based in the U.S who have insight or potentially can contribute to policies that would affect North Korea. And so they target individuals that have some idea, can inform those policies, or have particular analytical skills that could provide some insight for North Korea about what those policies would be. And so something like, you know -- there's sort of a steady drumbeat of this activity that is targeting these people all the time and part of that is to we believe is for the group to sort of stay in touch with the heartbeat of what the North Korean community is you know caring about. And some of it is then more particular in you know its engagement. And a lot of that just derives from, hey, South Korea announces that they are removing the reunification language from their constitution. TA427 will then come and ask experts and say, "Is this actually going to affect policy or is this just sort of a stance change?" They won't ask it as elegantly as I just said it or as basically as I've just said it. You know, but they tend to have in my opinion what they're interested in can be very well derived from the questions they ask in their emails. And those almost always go to people in government, but more so to people at think tanks and NGOs in those sort of spaces. And occasionally we don't have necessarily the data to say that it's going to a ton of journalists, but you know given that they spoof journalists a good amount of times we would expect that journalists who write about North Korea a lot are also targeted.

Dave Bittner: So is it fair to say this is a collegial exchange where they'll reach out to someone and say, "Hey, you're an expert on North Korea's nuclear disarmament. Good news. So am I. Let's talk shop."

Greg Lesnewich: Yeah. It will definitely tend to start that way. There will tend to be a question or sort of a hook in there, but all of it is not -- it ignores all of the things or avoids all of the things that we tend in like the phishing space to advise people to look out for. You know there's no talk about accounts. There's no sort of language that is pushy or conveying a sense of urgency. And nor is there an amount of like hey you should read this email like trying to make it seem important. It does a lot to try and blend in compared to how some of the business email compromise emails might do it. And so there will tend to be a question or a topic in there very related to current events surrounding the Korean peninsula. We in fact just saw one today talking about how potential changes in the Japanese majority party and elections in South Korea might affect quote, unquote, "policies in northeast Asia." And so there will be some amount of, you know, it won't always directly say, "Hey, how will this affect North Korea?" But you sort of derive that sort of intent. And so there's sort of a bifurcation of things that can happen after that. We've seen reports particularly out of the folks from Routers put out a piece I think in 2022 where they first saw this activity that they would solicit these questions in the way you just sort of termed it. Collegial. And they would get a response back, "Hey, what do you think about this topic?" The victim will say, "Hey, I think that X, Y, and Z policies are going to create A, B, and C outcomes." And sometimes they'll just drop the conversation there and say, "Okay. I've got what I need. Cool. Thank you." We believe that some of that activity can be them getting answers to questions that their leadership hands to them. You know everybody has a boss that they're answering to in this space. And if they can get the answer without having to do -- you know, complete you know more effort, you know, why would you continue with the normal playbook? We are a little bit biased in that I'll note because we want to interdict as soon as we see, you know, contact with a North Korean intelligence operative. So we tend to in our technology and then from our advisement end cut off that communication as soon as possible so that the victim can't even respond. So we've seen reports of you know the sort of call and response and then completion of that email thread. We've seen reports and observed in our data as well sort of longer or attempted longer exchanges, especially with the victim's personal accounts. So they will email their corporate or you know professional account and CC their Gmail account. And they will continue to respond from their Gmail account. And that can go on for, you know, months at a time without necessarily something super malicious happening. And part of that is I think trust building, but also if, you know, from my view if someone has a source that they can keep tapping with low effort to get a good idea of what someone thinks about something I think it's something that they'll continue to pursue without necessarily needing to deploy malware or harvest credentials in some manner, especially if going to that bulk of information that exist just on someone's computer is more effort than it's worth especially if they're getting the information directly from the user, you know the voice themselves. So it's a pretty interesting set of activity. Definitely not the sexiest, but you know definitely the most prolific group on the ATP side of things that we see in our data.

Dave Bittner: Yeah. One of the things that this research that you all just published highlights is how they've sort of upped their game a little on the email side of using things like DMARC and some web beacons. Can you take us through what you're seeing there?

Greg Lesnewich: Yeah. And on the second one of those, web beacons, it's effectively like something like marketing click tracking to see hey has this person opened our emails to get an idea of how successful a given campaign has been. And they've sort of been testing with those same things. We haven't seen widespread adoption, but we think it was sort of to get an idea of are my emails landing. Are they landing in the right place? Even it might just be as simple as are victims opening my emails. And not something as nefarious as are they coming out of the right IP address or some other technology, you know clicking on -- effectively clicking on these links for these people. The second one of these that you mentioned was the DMARC abuse. That was something that we first started observing in December 2023 effectively coming out of accounts that TA427 has compromised for a really long time. We don't -- we're trying to work with the folks that are compromising sending, you know -- are facilitating sending those emails. So we didn't name them in the piece because you know it didn't feel like a professional move to sort of call out people that might not be able to prevent those things on their own. And so trying to put out as much information as we can to say, "Hey, here's how you can protect yourself against the threat without doing sort of like the inverse of the victim shaming." That sort of thing. So peeling back a little bit or stepping back a little bit, DMARC is the thing that was getting used or abused rather in that second instance where effectively DMARC is an authentication sort of agreed upon protocol in the email space where you know if I have my website, call it, I can attach a DNS record to that that would be that would then provide -- and it's the response. If you query it in I believe the text record it would tell you, "Hey, this has a DMARC policy of X, Y, and Z."

Dave Bittner: Okay.

Greg Lesnewich: Those policies can then dictate, you know, does a policy exist. Yes or no. What are sort of the parameters of those policies? And effectively the parameters of those policies is where we saw spoofed entities getting abused. If my policy record says a policy exists, but it's not enforced, or to not -- you know during the authentication process if someone's sending an email as fails to authenticate, like that DMARC authentication fails, a lot of policies will just say, "Do nothing." Instead of quarantine or reject it and then tell the entity that was spoofed that they were being spoofed. And so it, you know -- it's kind of a tricky thing to set up. And, you know, there's a ton of things on YouTube and the open internet about how to set that up. But it is a little bit of an intensive process. And so given that we hadn't seen you know as much adoption as we would hope for or like, we're sort of in a place where we have to say, "Okay. Well, you know, these entities are being abused." We can, you know, sort of try to tell them to update their DMARC records to prevent this spoofing. But it does allow you know the TA427 in the end to very well spoof someone like And it does all of the things again to what we've said before it beats all of the measures that we tell people to look for in a phishing email because everything in the header says it's coming from You know there's no sort of like difference between those two unless you know how to open the email headers and inspect those and check them or you're flagging for failed DMARC activity. It's not necessarily something that would bubble up without some other technology in line to tell you, "Hey, this is -- this might be an imposter. Don't engage with them." Or sort of proceed with caution. And so that was -- that was sort of the main impetus for us wanting to get some information out there about this activity. [ Music ]

Dave Bittner: We'll be right back. [ Music ] To what degree would you label this sort of low level espionage? I mean I -- it doesn't sound like they're actively trying to you know infiltrate classified information. It strikes me that this is kind of a taking a temperature of what people who have professional interest in these topics may be thinking about things. I mean is that a fair way to assess what's going on?

Greg Lesnewich: Yeah. I think definitely from what their goals are I think that's a fair way to assess it. I think espionage is sort of the closest proxy. You could also make the argument that it is sort of, you know -- there's no embassy, North Korean embassy, in Washington, D.C. And some of this activity you could sort of imply that it's replacing that. I know that Jenny Town from Stimson Center has sort of made that point and I tend to generally agree with it that it's replacing diplomats and ambassadors being on the ground and rubbing shoulders with sort of the think tank and policy folks on a day to day basis where you might not -- you know, if you know someone is North Korean you might not tell them everything, but they can still potentially attend your talk or listen to your testimony somewhere and sort of get information that way. And so it definitely feels very human driven rather than like cyber driven espionage. It's sort of just email -- email is just the most convenient vector for it happening. We do see it occasionally leading to credential harvesting or malware infections which does sort of keep it in that sort of quote unquote "cyber" domain. And so I think that it just kind of blurs the line because of the inauthentic nature of the activity. And it being, you know, government or state sponsored that we continue to bucket it as espionage, but it's sort of not as neat as something like you know another -- say another North Korean group like TA404 which also can be tracked as diamond sleet. Targeting defense contractors and trying to steal missile plans, that's where it directly falls into the espionage thing. We don't want that. You know there are like all sorts of levers that can be pulled about that. And this is just sort of a constant stream of questions that you could very well see the regime asking through sort of a proxy. And you know part of it is just telling people to not engage with potentially North Korean citizens and personnel. But to your point, yeah. It doesn't -- it sort of doesn't really fit into a neat box of espionage or sort of the -- the non espionage based information gathering that happens at embassies worldwide.

Dave Bittner: Yeah. That's interesting. So what are your recommendations then? I mean in terms of strategies for folks to be aware of this, protect themselves. And I suppose part of this is helping spread the word as well.

Greg Lesnewich: Yeah. And so I think broadly not everyone I think has the same risk profile that academics and people in think tanks and NGOs have for getting random emails from people that, you know, purport to know them. At a narrow focus if you're in the North Korean watching or think thank or NGO community those sort of like the cyberspace, you know like the cyber threat intelligence threat research places tend to be pretty small. And so even if you don't know that person directly you probably have a one degree or two degree of separation to ask through the grapevine to say, "Hey, did this person actually ask me for -- to write a paper for them? Or were they asking my opinion about something or to attend this event?" Or was it not them and we should sort of throw the flag up and tell the rest of the community? The tricky part with this activity as a whole is guidelines and sort of advice to the general public. The only real one that comes to mind is when the sender and the reply to address are different. So if you click, you know -- you sort of have to do the dance of in Outlook or Gmail clicking reply to the email and seeing that the address that sent that email is not the address you're sending something back to. And then going from there to say, "Okay. The thing that emailed me was" To, you know, overuse that example over and over again.

Dave Bittner: Right.

Greg Lesnewich: But it's the actual address that I'm replying to is a Hotmail account. Is that sort of disparate and different enough to you know raise suspicion on my end? And that unfortunately is just something that you know comes with probably being targeted by these folks before and learning that that is something that could happen to you. And to be honest awareness tends to be to your last point -- awareness tends to be the best way that that community has to interdicting and preventing these threats. I'm not in any of these communities, but in engaging with a couple people that are someone will say, "Hey, you know." We'll ask someone like a Jenny Town who's at Stimson Center. She runs a program called 38 North that does a lot on North Korea. And we'll ask, "Hey, is this your email?" You know, call it a -- from a free mail provider. Is this you or is this you know North Korea, for lack of a better term? She'll say, "No. I don't control that account." And then on our end we'll do sort of our normal technical work. The think tank folks will then go spread the word, say, "Hey, be on the lookout for this email address because it's not actually me. Don't reply to anything. Certainly don't reply and antagonize them." And, you know, don't provide any information over it. And some of that is I think that we just don't want anyone to be engaging with these folks because even if we can keep a slight amount of information advantage over North Korea, you know most of their -- most of their other cyber programs are centered around them acquiring information or currency to further their weapons program which, you know, there's a lot of black and white in the world or a lot of shades of gray in the world right now to decide, you know, what's good and what's bad. I think that deciding -- you know, helping prevent North Korea from getting a long range nuclear weapon is very much a good thing to do. And so it sort of becomes an easy thing for us all to sort of center around.

Dave Bittner: Right. Right. I think it's a really interesting point, you know, that -- because I could imagine if I'm a policy expert and the very fact that someone is reaching out to me there's a certain bit of flattery that goes with that. But then also if I -- if it's obvious to me that this is, you know, someone wearing a fake mustache in a trench coat and a hat, that it isn't actually the person that they say they are, I can understand being a smart person and thinking, "Oh, I might string them along for a little while." But you know this may be North Korea's B team, but they may bring in the A team if you aggravate them.

Greg Lesnewich: Absolutely. And even though we have not used the sophisticated word yet, that you know I think that the level of English that they are able to use in their word documents, you know, everybody sort of makes mistakes, but the level of English, the amount of sort of things they're able to discuss even just via email in a written format, not you know live and on the phone or something like that, is impressive. And so I think that you know they have proven themselves pretty capable just in this arena alone and we sort of know and -- we sort of suspect. We do not know, but that operators from sort of this group and potentially there are other parts of the Kim -- quote unquote Kim [inaudible 00:23:15] umbrella got pulled in to sort of a tiger team during the COVID response for North Korea. And they were doing things that were well above sort of the normal TTP capability we would assign them in sort of their daily operations. And so we know that that ceiling is higher than this activity is showing us. And so I think that that's also to your point a big part of keeping things calm through those engagements and saying, "Hey." You know, even though this isn't the most maligned thing that you've ever seen, aggravating them is just not going to help anybody. And they definitely do have some -- you know, I think within their sort of repertoire they have some, you know, pretty capable malware families like recon shark which is an updated version of baby shark, a visual basic VBS based family that, you know, it's pretty well detected and easy to track if you're looking at it, but it's not something that they use all the time. And they will use a lot of things like browser extensions to sort of steal passwords and things like that. But I think even with those sort of small selection of tooling I think that they because of the apparatus that -- you know, the North Korean apparatus that they're tied to. There is -- there can be a bigger hammer to get rolled out if it's needed. [ Music ]

Dave Bittner: Our thanks to Greg Lesnewich from Proofpoint for joining us. The research is titled "From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering." We'll have a link in the show notes. [ Music ] The CyberWire research Saturday podcast is a production of N2K networks. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We will see you back here next time. [ Music ]