- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
North Korean Group Kimsuky Exploits DMARC and Web Beacons
Security researchers have uncovered new tactics associated with the threat actor TA427, also known as Emerald Sleet, APT43, THALLIUM or Kimsuky.
This group, believed to be aligned with North Korea’s Reconnaissance General Bureau, has been observed engaging in email phishing campaigns targeting experts for insights into US and South Korean foreign policies.
According to an advisory published by Proofpoint on Tuesday, TA427 has directly contacted foreign policy experts since 2023, soliciting their opinions on topics such as nuclear disarmament, US-South Korean policies and sanctions through seemingly benign email conversations.
In recent months, there has been a noticeable increase in this activity, with TA427 employing social engineering tactics, regularly changing email infrastructures and, more recently, abusing lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas.
They have also started using web beacons, small invisible objects embedded in emails or web pages, for target profiling since February 2024.
Read more on DMARC security: Just 1% of Dot-Org Domains Are Fully DMARC Protected
This pattern of engagement and the tactics utilized by TA427 have raised concerns, Proofpoint warned. The group appears adept at social engineering, aiming to augment North Korean intelligence on foreign policy matters. By engaging targets in extended conversations, often over weeks or months, and using tailored lure content, TA427 builds rapport and seeks information without immediately resorting to malware or credential harvesting.
The targets of TA427’s phishing campaigns include experts in think tanks, NGOs, media, academia and government. The group impersonates individuals from these sectors to increase the legitimacy of their requests for information or engagement. Beyond DMARC abuse, they also rely on typosquatting or spoofing private email accounts to masquerade as trusted personalities or organizations.
The use of web beacons is a recent addition to TA427’s tactics, enabling them to gather fundamental information about recipients’ network environments.
“While the campaigns noted in this blog are not fleecing targets out of millions of dollars, this activity goes after something that is infinitely more difficult to quantify: information and influence,” Proofpoint wrote.
“With a clear degree of success, TA427 shows no indication of slowing down or losing its agility in adjusting its tactics and standing up new infrastructure and personas with expediency.”