North Korean Cyber-criminal Recycles Tactics and Targets
A threat actor believed to be associated with the Democratic People’s Republic of Korea (DPRK) has a certain fondness for repetition, according to new research published today.
In the report Triple Threat: North Korea–Aligned TA406 Scams, Spies, and Steals, researchers at Proofpoint shine a light on the nefarious activity of the threat actor TA406, whose campaigns they have been tracking since 2018.
“What’s most notable about this North Korea–aligned threat actor is their penchant for reusing the same tactics and targeting the same individuals over and over again,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
“They also have used everything from sextortion to legitimate services in the name of financial gain.”
Proofpoint’s research team believe TA406 to be one of several actors responsible for cyber-criminal activity publicly tracked as the Kimsuky, Thallium, and Konni Group.
The researchers also have “high confidence” that TA406 is operating on behalf of the North Korean government.
TA406 has been conducting espionage-motivated campaigns since at least 2012 and financially motivated campaigns since at least 2018.
Until January 2021, TA406 campaigns have remained low in volume. However, with the start of the year, the threat actor ramped up their activity to include almost weekly campaigns targeting foreign policy experts, journalists, and non-governmental organizations (NGOs).
While TA406 has been observed using many different malware families, including KONNI , SANNY, CARROTBAT/CARROTBALL, BabyShark, Amadey and Android Moez, this threat actor isn’t known primarily for campaigns that employ malware.
However, researchers attributed to TA406 two campaigns run in 2021 that tried to distribute malware for the purposes of gathering information.
Despite being a professional cyber-criminal, TA406 was observed to follow a standard working day schedule, sending malicious phishing emails out from 9am to 5pm, with the occasional additional late-night session.
Describing TA406’s targets, researchers wrote: “Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals.
“TA406 has also targeted individuals and organizations related to crypto-currency for the purpose of financial gain.”