Washington D.C. ― mWISE ― While Pyongyang continues to finance its nuclear weapons development through cyber extortion tactics like ransomware attacks and cryptocurrency heists, security experts are sounding the alarm on a recent shift in North Korean hacking methods. The new approach doesn’t rely on technical prowess, but rather employs simple disguises to pose as ordinary individuals for intelligence gathering.
Michael Barnhart, Principal Analyst at Mandiant for Google Cloud, unveiled new research on North Korea’s evolving social engineering tactics during a session at the Mandiant Worldwide Information Security Exchange (mWISE) conference on Monday. In a session aptly named “High volume and low sophistication,” Barnhart recounted a real-world incident targeting 38 North, a publication by the Stimson Center that offers policy analysis on North Korea. Jenny Town, Director of 38 North, also joined the presentation, shedding light on the events of that particular day.
“The cyber threat group is not hacking us anymore. These days, they do not start with the hacking aspect generally. It is a lot of social engineering,” said Town. In the realm of information security, social engineering involves the artful use of deception to manipulate individuals into disclosing confidential or personal information, often leveraged for fraudulent activities.
Town recounted her personal experience with the cyber intrusion. “A few years ago, I was working late one night around 2 a.m. and stepped away from my computer for a longer period of time. When I came back, I saw all these scripts running on the computer,” recalled Town, referring to the incident. “It was very unnerving, so I started moving things around and taking pictures to see what they were looking at,” said the director. As she was in the process of documenting the intrusion, the computer’s camera activated, only to abruptly shut off the moment it seemed to realize Town was monitoring its activities in real-time.
According to Town, the cyber invaders appeared to be focused solely on extracting information from her computer. “Because they were in my system, they had access to all of my files. I did worry about what they were going to do with the files, but there was clearly no leak on the internet,” added Town.
Barnhart specifically highlighted the use of TeamViewer, a remote-control software, in relation to the incident. North Korean threat actors were observed using this software to gain access to Town’s files. “There should be no TeamViewer on any desk or any type of remote connection that should be going into a computer that then goes into the corporate network,” stressed the threat intelligence expert.
Barnhart linked the cyber intrusion to the advanced persistent threat (APT) group 43, more commonly recognized as “Kimsuky.” This group operates under the Reconnaissance General Bureau (RGB), an intelligence agency serving the North Korean regime. Over the last few years, Kimsuky has ramped up its intelligence gathering efforts by masquerading as journalists and researchers when communicating with high-value targets—a strategy that has proven to be highly effective.
For instance, APT43 sent out fake emails to its targets, impersonating Town and other staff members from 38 North, and posed questions without embedding malware. In numerous cases, these cyber operatives have asked their targets to write articles that are never published or invited them to speak at non-existent events, all while using email addresses designed to mimic those of legitimate institutions. “You are not robbing the bank,” elaborated Barnhart. “You are just dressing up as her and asking for the money.”
The fraudulent solicitations, dispatched by APT43 to high-profile experts, have tarnished the reputation of 38 North. “People get angry if we commission someone to write a paper and do not publish it,” said Town. “It does create difficulties in both our reputations as well as in being able to invite people in the future.”