Researchers at Mandiant have discovered a North Korean threat actor that has been targeting organizations in the United States, Europe, Japan, and South Korea for the past five years. The researchers have assessed with high confidence that the actor is state-sponsored and with moderate confidence that the actor belongs to the North Korean Reconnaissance General Bureau, the country’s primary foreign intelligence service. APT43 has been primarily engaging in espionage and financially motivated cybercrime operations, primarily targeting government organizations, academics, and think tanks. APT43 has been observed shifting focus on its operations abruptly, suggesting they receive their orders as a part of broader strategic planning.
APT43 typically uses spear-phishing emails as a means of initial access, directing users to sites impersonating legitimate entities with the ultimate goal of credential harvesting. The actor then uses these credentials to log in as the target to carry out intelligence collecting themselves. They also use the target’s contacts to carry out further phishing operations. Much like other North Korean threat actors, this group is believed to operate independently of state funding, using cybercrime operations to provide funding. One tactic that has been observed from the actor is the use of malicious Android applications posing as cryptocurrency loan services, which then steal cryptocurrency from the victim. This cryptocurrency is then laundered through hash rental and cloud mining services.
While APT43 is now known as a separate actor, it appears to have been mistakenly tied to other threat actors in the past. Typically, some of the actor’s activity was attributed to the threat actors known as Kimsuky and Thalium. There were also overlaps where APT43 was detected using identical malware to the Lazarus Group and UNC1069. On top of tools used by these groups, they have also been seen using publicly available tools like GhostRAT, QuasarRAT, and Amadey. However, it appears that APT43 also develops their own custom malware that has not been seen used elsewhere.
Like many campaigns from other threat actors, initial access in the majority of campaigns from APT43 have been through phishing emails. While there are many email monitoring solutions and behavioral detections that can be employed in regards to phishing, the best protection against phishing emails is ultimately user education, as phishing techniques are discovered and change quickly. Apart from the phishing techniques that this group uses, another problem that plagues the cybersecurity industry is displayed in this article – the difficulty of attribution in the cyberspace. When creating a threat matrix and building out behavioral detections for an organization, it is often important to determine which threat actors may target the organization to ensure that techniques seen used by a specific threat actor are covered by detection rules. However, as many groups re-use tools or use publicly available tools more frequently, an accurate attribution is often difficult to make, as can be seen by APT43 being misattributed the past few years. With it becoming more difficult to make an accurate attribution, it is best to employ a defense-in-depth strategy to ensure detections around all known techniques, regardless of whether an actor is specifically targeting a given organization.