Nuclear policy was a main focus of the espionage efforts, researchers said.
(Bloomberg) — Suspected North Korean hackers are posing as journalists and trying to gather intelligence about international officials’ approach to nuclear security policy and Kim Jong Un’s government, according to new research.
A prolific cyber-espionage group that’s targeted US and South Korean government organizations, academics and think tanks in recent months is using fabricated personas in order to collect strategic intelligence on behalf of North Korean leaders, according to findings published Tuesday by Mandiant, a threat intelligence unit of Google Cloud.
By masquerading as a journalist from Voice of America, a US-owned news network, members of the group known as APT43 are contacting subject-matter experts to inquire about nuclear security policy and weapons proliferation, researchers said. In a similar campaign revealed in March, Mandiant said suspected North Korean hackers also distributed a fake email attachment that appeared to be from a recruiter for the New York Times.
Mandiant is highly confident the group works on behalf of the Reconnaissance General Bureau, North Korea’s primary intelligence service, said Sandra Joyce, vice president and head of global intelligence.
“Anybody could be a victim of this,” she said. “They’re just incredibly innovative and a scrappy group.”
One message that appeared to be from a Voice of America correspondent asked an unnamed individual whether they expected Japan to increase its defense budget amid North Korean nuclear tests.
“I would be very grateful if you could send me your answers within five days,” the writer noted.
The group is particularly adept at stealing personally identifiable information and then using that data to create fake web accounts and register domains, security experts said. Hackers have also offered to pay scholars hundreds of dollars in exchange for writing a research paper on their behalf, Reuters reported.
APT43 also has registered a series of web domains meant to look like legitimate websites, including one page that impersonated Cornell University, meant to boost the credibility of the hackers’ cyber-espionage work, according to Mandiant. The same group has also uses malicious apps to generate cryptocurrency, steals usernames and passwords and conducts espionage focused on international negotiations about nuclear policy.
The move to impersonate US journalists comes after other hacking groups reportedly sponsored by Kim Jong Un’s government have intensely focused on the cryptocurrency sector. Hacking groups that US officials have linked to the North Korean government stole an estimated $1.7 billion in 2022, according to the blockchain analysis firm Chainalysis Inc.
–With assistance from Margi Murphy.
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.