North Korean state-sponsored threat actors are abusing misconfigurations in DMARC to send convincing phishing emails and gather vital intelligence from Western targets, officials warned.
A new joint advisory released by the US National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the State Department describes how the hacking collective known as Kimsuky, which is believed to be strongly linked to the Lazarus Group, and therefore the North Korean government has been found to abuse incorrectly configured DMARC logging policies to make it appear that emails come from legitimate sources.
DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance and is described as an email authentication protocol that helps prevent spoofing, phishing, and other fraudulent email activities. DMARC works by allowing senders to authenticate their messages using cryptographic signatures and by establishing how recipients should handle messages that fail authentication.
Grasping intelligence
The three agencies said Kimsuky's goal is to “gather intelligence on geopolitical events, adversary foreign policy strategies and any information affecting the interests of the DPRK through illicit access to targets' private documents, investigations and communications.”
To ensure that the victim responds to the phishing email and shares the information it seeks, hackers will prepare diligently. They will thoroughly investigate their target and create false identities or pose as other people when they approach. When they steal other people's identities, they mostly pose as journalists, academics or other experts on East Asian affairs “with credible ties to North Korean political circles,” it said.
Citing a previous Proofpoint report, TheHackerNews He said this technique was first observed in December of last year, when Kimsuky undertook a “broader effort” to attack foreign policy experts for their views on nuclear disarmament, among other things. Kimsuky is described as a “social engineering expert,” he concluded the post.
