Kimsuky Abusing DMARC Protocol

North Korean state-sponsored threat actors are exploiting vulnerabilities in DMARC configurations to send persuasive phishing emails and collect critical intelligence from Western targets, according to a recent advisory from the US National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State.[1] The advisory highlights the activities of the hacking group known as Kimsuky, which is closely associated with the Lazarus Group and, by extension, the North Korean government. These actors have been manipulating DMARC (Domain-based Message Authentication, Reporting, and Conformance) settings to make their phishing attempts appear as if they originate from legitimate sources.

DMARC is an email authentication protocol designed to help prevent email spoofing, phishing, and other types of fraud. It allows email senders to use cryptographic signatures to verify their messages, and it instructs recipients on how to handle emails that fail these authentication checks.

Natural landform on Navajo Reservation.
Source: S. Johannesen

The primary objective of Kimsuky is to gather intelligence on geopolitical developments, adversary foreign policy strategies, and any other information that could impact the interests of the DPRK. This is achieved by illicitly accessing private documents, research, and communications of targeted individuals.

To ensure that their phishing efforts are successful, Kimsuky actors meticulously prepare by researching their targets extensively. They often assume false identities or impersonate real individuals, typically choosing roles such as journalists, academics, or experts in East Asian affairs with supposed connections to North Korean policy circles. This approach enhances the credibility of their phishing attempts, making them more likely to elicit the desired responses from their targets.

As noted in The Record “In one example included in the advisory, a speaker fee is offered to the victim as a way to get them to open the email. Some emails show evidence that North Korean hackers were able to gain access to a university’s legitimate email client to send the email.”

An earlier report by Proofpoint noted that this tactic was first observed in December of the previous year. During that time, Kimsuky expanded its efforts to include foreign policy experts, seeking their insights on issues like nuclear disarmament. The group’s proficiency in social engineering makes it a formidable threat, capable of engaging targets over extended periods to build trust and extract valuable information.

Citation:

[1] https://www.aha.org/system/files/media/file/2024/05/tlp-clear-cybersecurity-advisory-north-korean-actors-exploit-weak-dmarc-security-policies-to-mask-spearphishing-efforts.pdf 

Translate »