A close look at North Korea's APT43.
N2K logoMar 28, 2023

Cyberespionage gang conducts cryptocurrency theft to sustain its own operations.

A close look at North Korea's APT43.

Mandiant describes the activities of APT43, a North Korean threat actor that conducts cybercrime to fund its cyberespionage efforts.

Cyberespionage to advance Pyongyang’s weapons programs.

APT43 is also tracked as “Kimsuky,” or “Thallium.” Mandiant says the threat actor uses “aggressive social engineering tactics” combined with moderately-sophisticated technical capabilities” to target “South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.” While the group targets a wide range of organizations and industries, Mandiant believes APT43’s primary goal is to advance North Korea’s weapons program:

“The group is primarily interested in information developed and stored within the U.S. military and government, defense industrial base (DIB), and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation.”

APT43 also conducts cryptocurrency theft to fund its own operations. In one instance, the threat actor used a phony Android app to target Chinese users seeking cryptocurrency loans. The group uses hash rental and cloud mining services to launder the stolen funds.

Mandiant comments.

Michael Barnhart, Mandiant Principal Analyst, Google Cloud, commented:

"The washing of funds and the 'how' has been the missing piece of the equation. We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies. Put another way, imagine you stole millions of dollars in gold, and while everyone is looking for stolen gold, you pay silver miners with stolen gold to excavate silver for you. Similarly, APT43 deposits stolen cryptocurrency into various cloud mining services to mine for a different cryptocurrency. For a small fee, DPRK walks away with untracked, clean currency to do as they wish. Based on our knowledge of this actor and the other associated groups, it is very likely that the other DPRK aligned APTs are using the same services to launder their illicit funds."

Joe Dobson, Mandiant Principal Analyst, added:

“Unlike other North Korean threat actors that target large cryptocurrency bridges and exchanges, APT43 has expanded their targeting to everyday users, likely through automation, based on the sheer velocity and volume of attacks. Since June of 2022, Mandiant has tracked more than 10 million phishing NFTs (non-fungible tokens) successfully delivered to cryptocurrency users across multiple blockchains. By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target. Their pace of execution, combined with their success rate, is alarming; especially when you consider that most funds stolen by DPRK cyber operators are going back to the regime to fund its development of nuclear bombs.”

Industry reaction to reports of APT43 activity.

(Added, 7:15 PM, March 29th, 2023. We received comments from several industry experts on the implications of Mandiant's report on APT43's current operations. Chris Handscomb, Solutions Engineer at Centripetal, offered some advice on what organizations might do to protect themselves from this threat. “North Korea has developed a large pool of highly specialized software & security experts in a relatively short period of time. The FBI has issued multiple warnings that North Korean cyber spies are infiltrating foreign companies to acquire data and trade secrets," he wrote. "Never knowing whether a threat may emerge by walking through your door, in the day or over the wire at night, it is important that in addition to securing your premises and network from local intrusion, you take proactive steps to do the following:

  • "Become invisible. By blocking reconnaissance traffic. If they can’t see you, you’re less of a target.
  • "Know the threats. 99% of threats are known by the global threat intelligence community, use this intelligence.
  • "Turn off the taps. By using AI backed security appliances designed to proactively shield against attack.
  • "Call for backup. Leverage an elite team of cyber threat analysts to act as an extension of your IT / SecOPS department.

"Once your data has left the organization, you may find it too challenging to pursue action to prevent it from spreading. It's time to be more proactive.”

Paul Bischoff, privacy advocate with Comparitech, notes that phishing is phishing, whatever the target might be. “APT43 may be targeting high-level government and military organizations, but the initial attack vector is still phishing, and thus can be easily avoided with some basic training and awareness," he said, and also offered some advice. "Never click on links or attachments in unsolicited emails, and always check the sender's email domain (what comes after the @ sign) for spelling errors. APT43 is spear phishing, which means their messages are tailored to high-level targets, such as executives and IT personnel. That can make them more difficult to identify as malicious. Enforcing two-factor authentication for logins is also important in the event that someone does fall victim to one of these phishing attacks and hands the attackers their password. Even with a stolen password, a hacker will not be able to access a 2FA-protected account without the one-time code, making it much more difficult to break into accounts.”

Finally, Chris Hauk, consumer privacy champion at Pixel Privacy, sees the DPRK operators as sticking to the methods that they know, and that have succeeded for them in the past. “While APT43 is a new North Korean hacking group, they're sticking to the tried and true methods when executing their attacks," he wrote. "Phishing attacks like this have been around since the internet became widely available. The usual advice applies here, as companies should educate employees and executives on how to recognize phishing attacks, what to do if they think they've been targeted in an attack, and how to avoid such attacks. Organizations should also enable multi-factor authentication whenever possible, which will help prevent hackers from being able to log in to systems, even if they have a valid username and password.”)