State-sponsored North Korean hackers responsible for blitz of attacks in 2021

Suspected government-backed hackers from North Korea launched almost weekly cyberattacks on a wide array of targets throughout the first half of 2021, according to research released on Thursday by security firm Proofpoint.

The group, dubbed TA406, engaged in espionage, digital crime, and sextortion. It conducted frequent credential phishing campaigns against foreign policy experts and non-governmental groups whose work related to the Korean peninsula, as well as journalists and academics.

Researchers also uncovered, for the first time, two campaigns where the group attempted to distribute malware that could be used for information gathering.

The activity tracked as TA406 by Proofpoint is often referred to publicly as “Kimsuky,” or “Thallium,” a notorious hacking group with ties to the North Korean military known for attacks against Western diplomatic and national security organizations, and Konni, a family of remote access trojans. The group has conducted espionage-motivated campaigns since at least 2012 and financially-motivated campaigns since at least 2018, according to the company.

The Proofpoint research details how TA406 shifted from its focus from credential theft to spreading malware via email. 

The first instance, in March, involved messages that claimed to be from a top North Korea expert and targeted entities in North America. The second, which took place in June, came from the same sender and purported to be from a well-known foreign policy specialist.

“Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the report concludes.