The Washington PostDemocracy Dies in Darkness

North Korean hackers play the ‘long con’ by targeting experts

People at the Sci-Tech Complex in Pyongyang, North Korea, in 2017. (Wong Maye-E/AP)
5 min

TOKYO — Bruce Klingner, a longtime Northeast Asia specialist, once received a message from a verified email address of Korea analyst Aidan Foster-Carter that seemed innocuous: Would Klingner review a paper by nuclear policy expert Jamie Kwong?

Klingner agreed, and began exchanging emails with “Kwong” about her paper. Then came an email with a fishy link, which he forwarded to his IT team. It was malware, and the entire exchange was a trap; neither Foster-Carter nor Kwong had contacted Klingner.

Like many Korea watchers, Klingner, a senior research fellow at the Heritage Foundation, can rattle off more than a half-dozen such phishing attempts impersonating researchers, government officials and journalists. Such efforts are linked with an increasingly prolific North Korean cyberespionage operation that uses social engineering and fraudulent personas to gather intelligence, according to a new report released Tuesday by U.S. cybersecurity firm Mandiant.

Mandiant, which is a part of Google Cloud, has elevated the threat status of this group, which it has named Advanced Persistent Threat 43, or APT43.

Mandiant’s new advisory follows a warning last week about the same outfit by South Korean and German security agencies, which found that the North Korean hackers have been waging a campaign designed to gain access to victims’ Google accounts, with attacks that use Google’s browser and app store as their jumping-off points.

North Korea claims to show off ‘greatest’ nuclear attack capability

In recent years, these phishing attempts have become more sophisticated. Sometimes they don’t even include links or attachments. Instead, the hackers build rapport with experts to gain their insight on North Korea-related policies by impersonating people at legitimate think tanks and “commissioning” reports, said Klingner, who has researched North Korean cyber activity.

North Korea has long been known for its expansive scope and sophistication of its cyberweaponry, most infamously the massive 2014 hack into Sony Pictures over a film spoofing North Korean leader Kim Jong Un. Kim’s cyberwarriors have been accused of netting millions of dollars at a time through their attacks.

The report, which offers a comprehensive look at APT43’s activities, highlights Pyongyang’s increasingly complex cybercrime operation.

Some of the known regime-backed groups are tied to large-scale schemes, like Lazarus Group, which U.S. investigators said was behind the Sony hack. Others, like APT43, have a narrower focus and complement the larger operations, while sharing techniques and working toward a common goal of supporting Kim’s nuclear ambitions, said Ben Read, head of Mandiant’s cyberespionage analysis.

“It shows specialization between the different groups,” Read said. “It is a bureaucracy. It’s not just an undifferentiated cluster of hackers, but there are teams that consistently, year-over-year, operate in a way that is sort of knowable.”

APT43 plays the “long con” through unusually aggressive social engineering targeting South Korean, Japanese and American individuals with insight into international negotiations and sanctions affecting North Korea, and steals cryptocurrency to sustain its own operations, according to Mandiant researchers.

The outfit also targeted health-care and pharmaceutical companies during the pandemic, which demonstrates that the North Korean regime’s cyber operations are “highly responsive to the demands of Pyongyang’s leadership,” Mandiant found.

How North Korea’s thought police hunt down foreign influences

Individual cybersecurity companies often maintain their own, separate rules for naming hacking outfits. Other security researchers and government agencies refer to APT43 by different monikers, and all of them are “roughly equivalent,” Read said: Kimsuky, Thallium, Velvet Chollima, TA406 and Black Banshee are among the other names for the group.

A collection of U.S. cyber agencies said in 2020 that it is likely that Kimsuky has been operating since 2012. Outside of its targets in the United States, South Korea and Japan, other prominent, previously reported hacking targets include nearly a dozen officials at U.N. National Security Council in 2020 and a nuclear power plant that it breached in India in 2019.

APT43 is also involved in cryptocurrency theft and laundering that is targeted at ordinary users, rather than at large-scale crypto exchanges, Mandiant found.

In 2022, North Korea stole record levels of cryptocurrency assets through various methods, according to a draft U.N. monitoring report obtained by Reuters. U.N. experts have accused North Korea’s cyber efforts of stealing hundreds of millions of dollars from financial institutions and through cryptocurrency exchanges to finance its nuclear and missile programs.

Cryptocurrency has also come under focus as North Korea has dramatically decreased trade with China, its economic lifeline, while ramping up its missile testing and facing crippling international sanctions — raising questions about how the impoverished country is financing its testing frenzy.

Pyongyang has denied allegations of cybercrimes and crypto theft.

APT43 is not likely to be linked to any major known heists, Read said. But it is unique because it targets everyday users, and a ton of them, making its activities harder to detect while still raking in cryptocurrency, Mandiant experts said.

Since June 2022, Mandiant has tracked more than 10 million phishing attempts using non-fungible tokens, or NFTs, that successfully moved cryptocurrency, according to Mandiant.

“By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target,” Michael Barnhart, Mandiant principal analyst, said in a statement. “Their pace of execution, combined with their success rate, is alarming.”

Once investigators identify stolen cryptocurrency, thieves can have a hard time turning it into traditional currency. To launder their stolen cryptocurrency, the APT43 hackers pay to rent services used to “mine,” or create, different crypto that’s not connected to the stolen funds, Mandiant said. This method, called “hash rental,” is a less common and somewhat outdated way of laundering cryptocurrency, experts said.

Starks reported from Washington.