North Korean cyber threats are shifting towards social engineering, the latest research by Mandiant reveals

By Dain Oh, The Readable
Sep. 21, 2023 7:12AM GMT-4

Washington D.C. ― mWISE ― While Pyongyang continues to finance its nuclear weapons development through cyber extortion tactics like ransomware attacks and cryptocurrency heists, security experts are sounding the alarm on a recent shift in North Korean hacking methods. The new approach doesn’t rely on technical prowess, but rather employs simple disguises to pose as ordinary individuals for intelligence gathering.

Michael Barnhart, Principal Analyst at Mandiant for Google Cloud, unveiled new research on North Korea’s evolving social engineering tactics during a session at the Mandiant Worldwide Information Security Exchange (mWISE) conference on Monday. In a session aptly named “High volume and low sophistication,” Barnhart recounted a real-world incident targeting 38 North, a publication by the Stimson Center that offers policy analysis on North Korea. Jenny Town, Director of 38 North, also joined the presentation, shedding light on the events of that particular day.

“The cyber threat group is not hacking us anymore. These days, they do not start with the hacking aspect generally. It is a lot of social engineering,” said Town. In the realm of information security, social engineering involves the artful use of deception to manipulate individuals into disclosing confidential or personal information, often leveraged for fraudulent activities.

Town recounted her personal experience with the cyber intrusion. “A few years ago, I was working late one night around 2 a.m. and stepped away from my computer for a longer period of time. When I came back, I saw all these scripts running on the computer,” recalled Town, referring to the incident. “It was very unnerving, so I started moving things around and taking pictures to see what they were looking at,” said the director. As she was in the process of documenting the intrusion, the computer’s camera activated, only to abruptly shut off the moment it seemed to realize Town was monitoring its activities in real-time.

Michael Barnhart, Principal Analyst at Mandiant for Google Cloud, right, and Jenny Town, Director of 38 North, are sharing their research during a session at the Mandiant Worldwide Information Security Exchange (mWISE) on September 18. Photo by Dain Oh, The Readable

According to Town, the cyber invaders appeared to be focused solely on extracting information from her computer. “Because they were in my system, they had access to all of my files. I did worry about what they were going to do with the files, but there was clearly no leak on the internet,” added Town.

Barnhart specifically highlighted the use of TeamViewer, a remote-control software, in relation to the incident. North Korean threat actors were observed using this software to gain access to Town’s files. “There should be no TeamViewer on any desk or any type of remote connection that should be going into a computer that then goes into the corporate network,” stressed the threat intelligence expert.

Barnhart linked the cyber intrusion to the advanced persistent threat (APT) group 43, more commonly recognized as “Kimsuky.” This group operates under the Reconnaissance General Bureau (RGB), an intelligence agency serving the North Korean regime. Over the last few years, Kimsuky has ramped up its intelligence gathering efforts by masquerading as journalists and researchers when communicating with high-value targets—a strategy that has proven to be highly effective.

For instance, APT43 sent out fake emails to its targets, impersonating Town and other staff members from 38 North, and posed questions without embedding malware. In numerous cases, these cyber operatives have asked their targets to write articles that are never published or invited them to speak at non-existent events, all while using email addresses designed to mimic those of legitimate institutions. “You are not robbing the bank,” elaborated Barnhart. “You are just dressing up as her and asking for the money.”

The fraudulent solicitations, dispatched by APT43 to high-profile experts, have tarnished the reputation of 38 North. “People get angry if we commission someone to write a paper and do not publish it,” said Town. “It does create difficulties in both our reputations as well as in being able to invite people in the future.”

Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.