Rewterz Threat Alert – North Korean Threat Actor Group, APT43, Funds Its Espionage Activities Through Cybercrime – Active IOCs

Severity

High

Analysis Summary

Security researchers have discovered another North Korean threat actor gang that uses cybercrime operations to fund espionage activities against South Korean and US government organization.

APT43 threat actor group combines ‘moderately-sophisticated’ technological skills with aggressive social engineering efforts, particularly targeting South Korean and US-based government agencies, academics, and think tanks concentrating on geopolitical concerns on the Korean peninsula. The campaign include strategic intelligence collection linked with Pyongyang’s geopolitical goals, credential harvesting and social engineering to enable espionage efforts, and financially driven cybercrime to fund operations.

APT43’s collecting goals fit with the mission of North Korea’s principal foreign intelligence service, the Reconnaissance General Bureau (RGB), stating that the group’s concentration on foreign policy and nuclear security concerns helps North Korea’s strategic and nuclear aspirations.

The group develops a large number of spoofed and fraudulent personas for use in social engineering, as well as cover identities for acquiring operational gear and infrastructure.

” Domains masquerading as legitimate sites are used in credential harvesting operations.” Also, they added, “We have not observed APT43 exploiting zero-day vulnerabilities.”

APT43 maintains a high tempo of activity, indicating a persistent and ongoing threat to cybersecurity. Their focus on phishing and credential collection campaigns is also worrisome, as these tactics are commonly used to gain unauthorized access to sensitive information and systems.

The report mentions APT43’s coordination with other elements of the North Korean cyber ecosystem is also significant. North Korea is known to have a well-developed cyber program that includes multiple state-sponsored hacking groups, and coordination between these groups could make them even more dangerous and effective in their cyber espionage activities.

In order to support North Korea’s juche state philosophy of self-reliance, APT43 steals and launders enough bitcoin to purchase operational infrastructure, relieving financial pressure on the central government.

Experts believe that APT43’s principal goal is cyber espionage, and the information that is currently accessible suggests that the group also engages in other actions that assist gathering strategic intelligence.

“Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other country’s foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions” they added.

Impact

• Cyber Espionage 
• Cyber Warfare

Indicators of Compromise

MD5

• 2d330c354c14b39368876392d56fb18c
• 15ec5c7125e6c74f740d6fc3376c130d
• 2a5562de1d3e734d9328a1c78b43c2e5
• 0cc0aa5877cec9109b7a5a0e3a250c72
• 2c530adb841114366ce6177ce964a5e6
• c066b81c4b8b0703f81f8bc6fb432992
• 1d30dfa5d8f21d1465409b207115ded6
• 21cffaa7f9bf224ce75e264bfb16dd0d

SHA-256

• f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8
• 4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211
• 203ea478fa4d2d5ef513cad8b51617e0c9f7571bf3a3becf9c267a0d590c6d72
• 1324acd1f720055e7941b39949116dfe72ce2e7792e70128f69e228eb48b0821
• 873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd
• 63b4bd01f80d43576c279adf69a5582129e81cc4adbd03675909581643765ea8
• ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a
• a605570555620cea6d6be211520525fc95a30961661780da4cc4bafe9864f394

SHA-1

• a1f72c890d0b920f4f4cb2d59df6fa40734de90d
• fb09b89803da071b7b7eb23244771c54d979a873
• 4b0d0ebb0c676efe855bed796221dd475a39ba40
• 1d49d462a11a00d8ac9608e49f055961bf79980d
• 5b69e3e5f4f49cf8b635a57a8c92e17a4f130d50
• 2508f5ff0c28356c0c3f8e6cae7b750d53495bca
• 942fd7b4ef1ccf7032a40acad975c7b5905c3c77
• 862abce03f7f5de0c466fdbd24ad796578eaa110

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implementing strong access controls can help prevent unauthorized access to sensitive information and systems. This includes using multi-factor authentication, regularly changing passwords, and limiting access to information and systems based on job roles and responsibilities.
• Implement Advanced Threat Detection and Response Capabilities: Advanced threat detection and response capabilities, such as intrusion detection systems (IDS) and Security Information and Event Management (SIEM) tools, can help detect and respond to potential cyber attacks in real-time.