Google Cloud’s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.
“Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime,” states a report on the gang released on Wednesday.
The report observes that APT43’s activities have sometimes been attributed to actors known as “Thallium” or “Kimsuky” – such as the 2021 attack on South Korea’s nuclear research agency.
That raid is typical of APT43’s activities. It aligns with the gang’s goal of strategic intelligence collection to keep North Korea informed of its foes’ activities and capabilities.
APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang’s favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It’s also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed “a steady evolution and expansion of the operation’s malware library over time.”
As North Korea’s needs change, so do APT43’s activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.
Those shifts have seen the group attack different types of target. But Mandiant’s analysts believe it has an overarching purpose of “enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other countries’ foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions.”
APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren’t its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.
But the gangs don’t operate in isolation. Mandian asserts “APT43 has shared infrastructure and…