Security News > 2021 > November > North Korean Hackers Found Behind a Range of Credential Theft Campaigns
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.
Policy experts, journalists and nongovernmental organizations were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures, with the attacks spread across North America, Russia, China, and South Korea.
Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google's Blogger platform to target high-value South Korean targets, including geopolitical and aerospace research agencies, with the goal of delivering a "Constantly evolving set of implants derived from the Gold Dragon/Brave Prince family" that act as file exfiltrators, information gatherers, and credential stealers for reconnaissance, espionage, and credential harvesting.
Now in what appears to be a further ramping up of attacks, the threat actor simultaneously commenced near-weekly email threat campaigns using the identities of legitimate policy experts, while featuring themes related to nuclear weapon safety, politics, and Korean foreign policy, ultimately luring the targeted individuals to give up their corporate credentials via a rogue URL embedded in the messages that redirect the victims to custom credential-harvesting pages.
Kimsuky's phishing campaigns had a noticeable shift in March 2021 when the emails moved beyond credential theft to become a medium for distributing malware, coinciding with North Korea's missile tests conducted later that month.
The ultimate motive behind the attacks remains unclear as no follow-on payloads were observed.
News URL
https://thehackernews.com/2021/11/north-korean-hackers-found-behind-range.html
Related news
- North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack (source)
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- Hackers pose as employers to steal crypto, login credentials (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- North Korean hackers linked to $1.5 billion ByBit crypto heist (source)
- OpenAI bans ChatGPT accounts used by North Korean hackers (source)
- North Korean Hackers Steal $1.5B in Cryptocurrency (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)