North Korean Hackers Found Behind a Range of Credential Theft Campaigns

A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.

Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the wider threat intelligence community under the monikers Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos).

Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor’s tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South Korea.

Known to be operational as early as 2012, Kimsuky has since emerged as one of the most active advanced persistent threat (APT) group known for setting its sights on cyber espionage but also for conducting attacks for financial gain, targeting government entities, think tanks, and individuals identified as experts in various fields as well as harvest sensitive information pertaining to foreign policy and national security issues.

Automatic GitHub Backups

“Like other APT groups that constitute a big umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, Flower Power, and Gold Dragon,” Kaspersky researchers noted in their Q2 2021 APT trends report published last month. The AppleSeed sub-group is also referred to as TA408.

The group is also known for reeling in targets with convincing social engineering schemes and watering hole attacks before sending them malware-infected payloads or tricking them into submitting sensitive credentials to phishing sites, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a public alert issued in October 2020.

Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google’s…


North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware for Cyber Espionage

North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.

Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”

The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.

According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.

Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.

Lazarus’ supply chain attacks target atypical victims

Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.

Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.

During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.

According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.

“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.

“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early…


S. Korean armed forces demonstrate readiness with joint landing operationNews

A South Korean Air Force P-3C maritime patrol aircraft flies over the coastline of Yeongilman along with an E-737 Peace Eye.
The operation code is “Peacemaker.”
Soon, the Air Force’s aerial refueling aircraft KC-330 will make its way above the coastline guarded by military fighter jets– F-35A and F-15K.
With purple smoke RF-16 Global Hawk aircrafts soar into the sky followed by the loud noise of a sonic boom.
Their mission is to hit the Air Force’s main target.
Now, it’s the turn of the Korea Assault Amphibious Vehicle.
With yellow and white smoke shooting out of the sea 48 KAAVs and 48 IBS inflatable boats land along the coastline while Apache attack helicopters along with several Surions, Chinooks, and Black Hawks, which provide airborne firepower support.
Soon after landing with loud shouts some 8-hundred marines fully equipped with military gear run forward from the KAAVs.
Their unit target is secured.

(STANDUP) ed: Steve
“One of the highlights from this year’s event: joint forces from the Army, Navy, and Air Force demonstrated their amphibious operations.”

For the first time in history, the South Korean Marine Corps was the host for this year’s Armed Forces Day taking place in the southeastern port of Pohang– the home of the Marine Corps since 1959.
More importantly, Pohang is where UN forces initiated its first amphibious mission during the Korean War which became one of the war’s most pivotal areas.

“To prepare for the 73rd Armed Forces Day, the Army, Navy, Air Force, and Marine Corps trained and practiced together. The whole process was a chance to be able to check our military’s readiness for joint operations.”

Finally, the joint landing mission is completed. with the raising of the South Korean flag.
The country’s armed forces vow to develop an integrated air defense systemand to prepare for a modernized military defense as well as a cyber warfare system based on Artificial Intelligence.
Choi Won-jong, Arirang News, Pohang.


What makes North Korean hacking groups more creative?

North Korean leader Kim Jong Un meets with former U.S. President Donald Trump within the demilitarized zone (DMZ) separating South and North Korea in 2019. (Handout photo by Dong-A Ilbo via Getty Images/Getty Images)

When cybersecurity experts talk about APT groups targeting the U.S. and its allies, they usually end up connecting the activity to one of “The Big Four:” Russia, China, Iran and North Korea. While these countries are far from the only ones conducting clandestine operations in cyberspace today, they’re often pegged as the most sophisticated and thus tend to get much of the attention.

But that doesn’t mean they all operate the same way. From a preference for writing custom malware code to pioneering new strategies, North Korean hacking groups have shown an innovative spirit that allows them to punch above their weight despite crushing sanctions.

At the 2021 RSA Conference, Dmitri Alperovitch, former co-founder and chief technology officer at Crowdstrike, said North Korean hacking groups, many of which operate under the umbrella name Lazarus Group, stand out considerably from their other Big Four counterparts in the creativity of their hacking campaign tactics and the way they eschew popular commercial offensive tools.

“They’re in some ways my favorite actor in cyberspace, because they’re just so incredibly innovative,” said Alperovitch, now executive chairman at the Silverado Policy Accelerator.

In the early 2000s, North Korean intelligence agencies like the Reconnaissance General Bureau “pioneered” the concept of destructive cyberattacks in digital skirmishes with their South Korean neighbors, while the country’s 2014 hack of entertainment giant Sony foretold the coming era of hack and leak operations that would be picked up by Russia just a few more years down the line.

Alperovitch said that in recent years, Russian, Chinese and Iranian APTs have increasingly incorporated publicly available commercial offensive hacking tools like Cobalt Strike or open-source tools like the credential harvesting Mimikatz in their operations in lieu of writing their own malware, because they are less expensive and because using…