When a U.S.-based foreign affairs analyst received an email in October from the 38 North think-tank, he believed it was business as usual. It wasn’t. The email was actually sent by an alleged North Korean spy seeking for intel. Microsoft researchers connected the campaign to Kimsuky, also tracked as Thallium.
Diving into details
Kimsuky is impersonating researchers from think tanks to commission reports on North Korean areas of interest.
The campaign first started in January and has proven to be very successful since the process of intel gathering has changed.
In certain cases, the attackers even engage with the target for months to gain all the relevant information. They use spoofed emails impersonating research institutes.
Why this matters
It is more efficient and quicker to gather information from some sources using this technique as compared to launching spear-phishing campaigns, building malware, and traversing through compromised email accounts for the right intelligence.
Kimsuky got the information directly from the experts, eliminating the need for making interpretations.
Microsoft stated that the threat actor also engages with the experts without ever sending any malicious links or files even after they respond.
This technique help them evade detection by security solutions that would scan and flag the malware warning.
What has Kimsuky been up to?
Thallium was last observed in October in a new cyberespionage campaign targeting Android devices in South Korea.
It had used three Android malware, dubbed FastFire, FastViewer, and FastSpy, which paraded as APKs for three utility tools.
Kimsuky had, previously to the above, launched another cyberespionage campaign against South Korean think tanks, professors, and government entities.
The bottom line
One of the most infamous and sophisticated North Korean threat actors, Kimsuky has been constantly improving its TTPs for greater success at a much faster rate. Organizations must keep a watch on this threat that leaves behind its victims in a devastated state.