Elevating the Title, APT43 Designated for North Korean Actor
Category: Threat Actor Activity | Industries: Defense, Education, Government, Healthcare, Media, Nuclear, Pharmaceutical, Research, Think Tanks | Level: Tactical | Source: Mandiant
A recently uncovered North Korean hacking group, identified as 'APT43,' has been conducting cyber attacks on government agencies, cryptocurrency services, academics, think tanks, media members and organizations across the United States, Europe, Japan, and South Korea since 2018. The threat actor's motives are focused on espionage and financially motivated cybercrime operations in order to amass funds to support its activities. Formerly tracked as Kimsuky” or “Thallium,” Mandiant recognizes their activities as APT43. Mandiant researchers exposed APT43's activities in their latest report, assessing "with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service." Mandiant's observation of sudden shifts in APT43's espionage operations suggests the group may be adjusting its objectives in response to changes in the state's strategic plans. An example was a shift to target organizations in healthcare and pharmaceutical, with specifically crafted malware likely as a response to the COVID-19 pandemic.
Techniques to exploit zero-day were not observed from APT43. "Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations." The group uses the obtained credentials to further their interests, which involve gathering information on the U.S. military and government, defense industrial base (DIB), nuclear security policy, and research and security policies developed by academia and think tanks based in the U.S. "APT43 has displayed interest in similar industries within South Korea, specifically non-profit organizations and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information around goods whose export to North Korea has been restricted," as explained by Mandiant.
Anvilogic Use Cases:
- AVL_UC1116 - Executable Create Script Process
- AVL_UC6101 - Service Installed
- AVL_UC13705 - Remote Access Software Execution