The U.S. government has issued a new cybersecurity advisory highlighting North Korean threat actors’ efforts to send deceptive emails that appear to be from legitimate and trusted sources.
This bulletin was a collaborative effort between the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State.
The NSA stated, “The DPRK [Democratic People’s Republic of Korea] leverages these spear-phishing campaigns to gather intelligence on geopolitical events, adversary foreign policy strategies, and other information relevant to DPRK interests by gaining unauthorized access to targets’ private documents, research, and communications.”
The advisory specifically focuses on the exploitation of improperly configured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to hide social engineering attempts. This allows threat actors to send fraudulent emails that appear to be from a genuine domain’s email server.
Weak DMARC policies have been linked to a North Korean threat group known as Kimsuky, which is associated with the Reconnaissance General Bureau (RGB) and is connected to the Lazarus Group. This group has been incorporating this technique since December 2023 to target foreign policy experts on various topics.
Proofpoint, in a recent report, highlighted Kimsuky’s method of engaging targets in extended conversations to gain trust and elicit information without directly sending malware or harvesting credentials.
Kimsuky has been observed using free email addresses to impersonate legitimate personnel and engage targets in conversations. In one case, the threat actor pretended to be a journalist seeking an interview, directing the target to respond to a fake email account.
Organizations are advised to update their DMARC policies to identify suspicious emails and receive feedback reports. This includes setting up an email address in the DMARC record for aggregate feedback reports.