Security News > 2021 > November > North Korean Hackers Found Behind a Range of Credential Theft Campaigns

A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.
Policy experts, journalists and nongovernmental organizations were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures, with the attacks spread across North America, Russia, China, and South Korea.
Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google's Blogger platform to target high-value South Korean targets, including geopolitical and aerospace research agencies, with the goal of delivering a "Constantly evolving set of implants derived from the Gold Dragon/Brave Prince family" that act as file exfiltrators, information gatherers, and credential stealers for reconnaissance, espionage, and credential harvesting.
Now in what appears to be a further ramping up of attacks, the threat actor simultaneously commenced near-weekly email threat campaigns using the identities of legitimate policy experts, while featuring themes related to nuclear weapon safety, politics, and Korean foreign policy, ultimately luring the targeted individuals to give up their corporate credentials via a rogue URL embedded in the messages that redirect the victims to custom credential-harvesting pages.
Kimsuky's phishing campaigns had a noticeable shift in March 2021 when the emails moved beyond credential theft to become a medium for distributing malware, coinciding with North Korea's missile tests conducted later that month.
The ultimate motive behind the attacks remains unclear as no follow-on payloads were observed.
News URL
https://thehackernews.com/2021/11/north-korean-hackers-found-behind-range.html
Related news
- Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- North Korean Lazarus hackers infect hundreds via npm packages (source)
- Hackers Using E-Crime Tool Atlantis AIO for Credential Stuffing on 140+ Platforms (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)
- North Korean Hackers Disguised as IT Workers Targeting UK, European Companies, Google Finds (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials (source)
- North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures (source)