he National Security Agency (NSA) and the FBI recently issued a joint cybersecurity advisory regarding APT43, a North Korean (DPRK)-linked hacking group, that was observed exploiting weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spearphishing attacks. This exploitation involves the abuse of misconfigured DMARC policies to send spoofed emails that appear to originate from credible sources such as journalists, academics, and experts in East Asian affairs. The NSA highlighted that the DPRK leverages these spearphishing campaigns to gather intelligence on geopolitical events and adversary foreign policy strategies. Additionally, these threat groups provide stolen data to the DPRK regime by compromising policy analysts and other experts.

APT43 operatives have been impersonating journalists and academics for spearphishing campaigns, targeting think tanks, research centers, academic institutions, and media organizations in the US, Europe, Japan, and South Korea since 2018. DPRK’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), is associated with a broad range of intelligence collection and espionage activities coordinated by the APT43 state-sponsored threat group, also known as Kimsuky, Emerald Sleet, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to the 63rd Research Center, an element within DPRK’s RGB, and has conducted cyber campaigns with the intent to maintain current intelligence on the US, South Korea, and other countries of interest in support of RGB objectives since at least 2012.

In April, South Korean (ROK) authorities disclosed a significant hacking operation during which DPRK hackers pilfered defense secrets over the course of a year. The Korean National Police Agency (KNPA) attributed the campaign to three DPRK state-sponsored groups: Lazarus, Kimsuky, and Andariel. According to local reports, these groups targeted up to 83 defense contractors and subcontractors, successfully compromising and extracting sensitive information from at least ten individuals between October 2022 and July 2023.

The KNPA report highlighted an instance in which threat actors exploited an email system vulnerability, allowing them to download large files without authentication. Additionally, they capitalized on weak password security to hijack the account of a third-party IT maintenance company, subsequently infecting a defense contractor with malware. Reports indicate that the compromised employee used the same password for both corporate and personal emails. In a third example shared by the KPNA, administrators paused security controls on an internal network during testing, which allowed their adversaries to compromise and exfiltrate sensitive data.

ROK has emerged as a major participant in the global arms trade, with recent contracts totaling billions of dollars for the procurement of howitzers, tanks, and fighter jets. According to an unnamed defense expert, DPRK weaponry is becoming increasingly similar to that of ROK. The design of the KN-23, a surface-to surface missile recently unveiled by DPRK, closely resembles that of ROK’s Hyunmoo-4 ballistic missile.

Recommendations

• The FBI, The US Department of State, and the NSA advise administrators to update
  their organization’s DMARC security policy to use “v=DMARC1; p=quarantine;” or
  “v=DMARC1; p=reject;” configurations. The first instructs email servers to quarantine
  emails that fail DMARC and tag them as potential spam, while the second tells them to
  block all emails that fail DMARC checks.
• Set other DMARC policy fields, such as ‘rua,’ to receive aggregate reports about the
  DMARC results for email messages purportedly from the organization’s domain.
• The NJCCIC products, New Jersey Email Authorization & Authentication Set Up
  PDF and the Sender Policy Framework – SPF Guide, provide additional information on
  establishing DMARC authentication.
• Make informed decisions regarding sharing information with individuals, businesses,
  services, and applications, regardless of specific endorsements and affiliations.
• Use strong, unique passwords for all accounts and enable MFA where available,
  choosing authentication apps or hardware tokens over SMS text-based codes.
• Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or
  emails.
• Red flag indicators, additional recommendations, and technical analysis can be found in
  the joint cybersecurity advisory.