The North Korean state-sponsored threat actor Kimsuky is launching spear phishing attacks against individuals working at think tanks and academic institutions in the US, according to a joint advisory from the US State Department, the FBI, and the NSA.
“North Korean cyber actors rely on social engineering techniques such as spearphishing—the use of fabricated emails tailored to deceive a target—as their primary vector for initiating a compromise and gaining access to a target’s device and networks,” the advisory says.
“Kimsuky spear phishing campaigns begin with broad research and preparation, including leveraging open source information to identify potential targets of value and then creating tailored online personas to appear more realistic and appealing to their targets. The cyber actors may also use content from emails of previously compromised email accounts to enhance the seeming authenticity of their spoofed emails.”
The agencies warn users to be on the lookout for the following red flags:
- “Innocuous initial communication with no malicious links/attachments, followed by communications containing malicious links/documents, potentially from a different, seemingly legitimate, email address
- Email content that may include real text of messages recovered from previous victim
- engagement with other legitimate contacts
- Emails in English that have awkward sentence structure and/or incorrect grammar
- Emails or communications targeting victims with either direct or indirect knowledge of policy information, including U.S. and ROK government employees/officials working on North Korea, Asia, China, and/or Southeast Asia matters; U.S. and ROK government employees with high clearance levels; and members of the military
- Email accounts that are spoofed with subtle incorrect misspellings of legitimate names and email addresses listed in a university directory or an official website
- Malicious documents that require the user to click ‘Enable Macros’ to view the document
- “Follow-up emails within 2-3 days of initial contact if the target does not respond to the initial spear phishing email"
- Emails purporting to be from official sources but sent using unofficial email services, identifiable through the email header information being a slightly incorrect version of an organization’s domain”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Nextgov has the story.
