Security News > 2021 > November > North Korean Hackers Found Behind a Range of Credential Theft Campaigns
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.
Policy experts, journalists and nongovernmental organizations were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures, with the attacks spread across North America, Russia, China, and South Korea.
Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google's Blogger platform to target high-value South Korean targets, including geopolitical and aerospace research agencies, with the goal of delivering a "Constantly evolving set of implants derived from the Gold Dragon/Brave Prince family" that act as file exfiltrators, information gatherers, and credential stealers for reconnaissance, espionage, and credential harvesting.
Now in what appears to be a further ramping up of attacks, the threat actor simultaneously commenced near-weekly email threat campaigns using the identities of legitimate policy experts, while featuring themes related to nuclear weapon safety, politics, and Korean foreign policy, ultimately luring the targeted individuals to give up their corporate credentials via a rogue URL embedded in the messages that redirect the victims to custom credential-harvesting pages.
Kimsuky's phishing campaigns had a noticeable shift in March 2021 when the emails moved beyond credential theft to become a medium for distributing malware, coinciding with North Korea's missile tests conducted later that month.
The ultimate motive behind the attacks remains unclear as no follow-on payloads were observed.
News URL
https://thehackernews.com/2021/11/north-korean-hackers-found-behind-range.html
Related news
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Hackers steal 15,000 cloud credentials from exposed Git config files (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- North Korean hackers pave the way for Play ransomware (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- North Korean hackers employ new tactics to compromise crypto-related businesses (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)