North Korean hackers use “Long Con” strategy to gain information; Steal crypto for operations

A group of North Korean hackers conducts long-term social engineering and espionage campaigns to gather intelligence, supporting the geopolitical interests of the North Korean regime.

A new report from the cybersecurity consulting firm Beggarwhich is part of Google Cloud, highlighted the threat posed by a North Korean hacking group named “Advanced Persistent Threat 43” or APT43, which allegedly has ties to North Korea’s Reconnaissance General Bureau (RGB) , the country’s main foreign intelligence service. service.

Mandiant said that since 2018, APT43 has played the “long con” by targeting South Korean, Japanese and American think tanks and academics familiar with international negotiations and sanctions affecting North Korea.

North Korean hackers approach their target experts using spear phishing emails from fake or spoofed people. Victims are directed to websites posing as legitimate entities that contain fake login pages where victims are tricked into entering their account credentials.

After stealing the victims’ credentials, APT43 impersonates the target to perform intelligence gathering and uses the victim’s contacts to find other targets.

APT43 aims to gather expert knowledge on the defense, security and foreign policies of the United States and South Korea, which may affect North Korea’s policies.

“The group is primarily interested in information developed and stored within the U.S. military and government, the Defense Industrial Base (DIB), and research and security policies developed by U.S. universities and think tanks. focused on nuclear security policy and non-proliferation,” Le Mandiant said. says the report.

“APT43 has shown interest in similar industries in South Korea, especially nonprofit organizations and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information on goods whose export to North Korea has been restricted,” he continued.

The North Korean hacking group has also targeted medical and pharmaceutical entities during the COVID-19 pandemic, which Mandiant said indicates its operations are “very sensitive to the demands of the Pyongyang leadership.” The Washington Post reported.

Mandiant cybersecurity researchers also uncovered APT43’s cryptocurrency theft operations against ordinary users. North Korean hackers reportedly used the stolen cryptocurrency to support their own operations.

The report states that APT43 uses malware-laden Android apps to target users seeking cryptocurrency loans. These users end up losing their digital assets to threat actors.

North Korean hackers would then launder the stolen cryptocurrency through hash rental and cloud mining services, making it harder for authorities to track them down.

Ben Read, Mandiant’s head of cyber espionage analysis, said that unlike other known regime-backed groups such as the Lazarus group, groups such as APT43 have narrower objectives and contribute to intelligence operations. cybercrimes in North Korea while supporting Kim Jong-un’s nuclear ambitions.

“It shows a specialization between different groups. It’s a bureaucracy. It’s not just an undifferentiated group of hackers, but there are teams that, from year to year, operate consistently” , said Read.

North Korea has long been known for its sophisticated cybercrime activities.

The Lazarus Group was responsible for a cyber espionage campaign that used Distributed Denial of Service (DDoS) attacks to target South Korean government websites and servers.

The North Korean hacking group was also linked to bank robberies, which allegedly stole millions from Banco del Austro and Bangladesh Bank in Ecuador.

Lazarus Group was also involved in the massive Sony Pictures hack in 2014, stealing vast amounts of data and gaining access to previously unreleased movies.