Security News

"Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets." Kimsuky refers to an ancillary element within North Korea's Reconnaissance General Bureau and is known to collect tactical intelligence on geopolitical events and negotiations affecting the regime's interests.

The United States and the Republic of Korea have issued a joint cyber security advisory [PDF] about North Koreas "Kimsuky" cyber crime group. In their joint advisory, US and South Korean authorities said Kimsuky targets "Think tanks, academic institutions, and news outlets for the purpose of intelligence gathering." The South says the gang is also involved in stealing info used by the DPRK's satellite program.

The Treasury Department's Office of Foreign Assets Control announced sanctions today against four entities and one individual for their involvement in illicit IT worker schemes and cyberattacks generating revenue to finance North Korea's weapons development programs. North Korea's illicit revenue generation strategy relies heavily on a massive "Army" of thousands of IT workers who hide their identities to get hired by companies overseas, the OFAC said in a press release published on Tuesday.

The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. It's also known to use commodity malware such as Amadey, a downloader that can receive commands from the attacker to download additional malware, in a bid to confuse attribution.

The US government is aggressively pursuing three men accused of wide-ranging and complex conspiracies of laundering stolen and illicit cryptocurrency that the North Korean regime used to finance its massive weapons programs. The Department of Justice this month indicted North Korean national Sim Hyon Sop, Wu HuiHui of China, and Cheng Hung Man, a Hong Kong British national, for their roles in two money laundering conspiracies, both aimed at channeling funds into North Korea's coffers.

Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that's unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they're based in "Western Asia.".

Norwegian authorities announced on Thursday that they had recovered $5.9 million of cryptocurrency stolen in the Axie Infinity hack - an incident widely held to have been perpetrated by the Lazarus Group, which has links to North Korea. The Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime has called the seizure among the largest ever money seizures - and the largest-ever related to crypto - made by Norway.

The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau.

US and South Korean agencies have issued a joint cybersecurity advisory describing the tactics, techniques and procedures used by North Korean hackers to deploy "State-sponsored" ransomware on hospitals and other organizations that can be considered part of the countries' critical infrastructure. "The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments-specific targets include Department of Defense Information Networks and Defense Industrial Base member networks," the advisory points out.

Two cryptocurrency exchanges have frozen accounts identified as having been used by North Korea's notorious Lazarus Group. Lazarus Group is identified suspected of being a cybercrime crew run by the government of North Korea and is infamous for the WannaCry ransomware, attacking Sony Pictures and stealing secrets from energy companies.