Kimsuky Abusing DMARC Protocol

ByRJG

May 13, 2024 ,

North Korean state-sponsored threat actors are exploiting vulnerabilities in DMARC configurations to send persuasive phishing emails and collect critical intelligence from Western targets, according to a recent advisory from the US National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State.[1] The advisory highlights the activities of the hacking group known as Kimsuky, which is closely associated with the Lazarus Group and, by extension, the North Korean government. These actors have been manipulating DMARC (Domain-based Message Authentication, Reporting, and Conformance) settings to make their phishing attempts appear as if they originate from legitimate sources.

DMARC is an email authentication protocol designed to help prevent email spoofing, phishing, and other types of fraud. It allows email senders to use cryptographic signatures to verify their messages, and it instructs recipients on how to handle emails that fail these authentication checks.

The primary objective of Kimsuky is to gather intelligence on geopolitical developments, adversary foreign policy strategies, and any other information that could impact the interests of the DPRK. This is achieved by illicitly accessing private documents, research, and communications of targeted individuals.

To ensure that their phishing efforts are successful, Kimsuky actors meticulously prepare by researching their targets extensively. They often assume false identities or impersonate real individuals, typically choosing roles such as journalists, academics, or experts in East Asian affairs with supposed connections to North Korean policy circles. This approach enhances the credibility of their phishing attempts, making them more likely to elicit the desired responses from their targets.

As noted in The Record “In one example included in the advisory, a speaker fee is offered to the victim as a way to get them to open the email. Some emails show evidence that North Korean hackers were able to gain access to a university’s legitimate email client to send the email.”

An earlier report by Proofpoint noted that this tactic was first observed in December of the previous year. During that time, Kimsuky expanded its efforts to include foreign policy experts, seeking their insights on issues like nuclear disarmament. The group’s proficiency in social engineering makes it a formidable threat, capable of engaging targets over extended periods to build trust and extract valuable information.

Citation:

[1] https://www.aha.org/system/files/media/file/2024/05/tlp-clear-cybersecurity-advisory-north-korean-actors-exploit-weak-dmarc-security-policies-to-mask-spearphishing-efforts.pdf 

author avatar
RJG CTIN President & Co-Founder
Jane Ginn As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn
Translate »