Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
Researchers at SentinelOne have uncovered a new Kimsuky-backed social-engineering campaign targeting experts in North Korean affairs to steal Google and subscription credentials for NK news, an American-based news website that provides analysis and news focusing on North Korea. In the latest campaign, the group was observed sending emails impersonating Chad O’Carroll, the founder of NK News. The emails request victims to review a draft article analyzing the nuclear threat posed by North Korea. If the victim replies to the email, a follow up email is sent by Kimsuky which contains a spoofed URL to a Google document, designed to redirect the target to a malicious website crafted to capture Google credentials. In a similar fashion, Kimsuky was also seen distributing emails that convince victims to login to an attacker-created domain, nknews[.]pro, which masquerades as the official site for NK News nkwes[.]org. Unsuspecting victims are presented with a login form, which when filled out and submitted will send legitimate NK News login credentials to the threat actors.
Security Officer Comments:
Kimsuky is a North Korean APT group whose motives align with the interests of the North Korean government. Like previous campaign, the goal of the latest attacks is to gather intelligence and access sensitive information. Given that NK News login credentials are being targeted, SentinelOne states that “gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives.”
In some instances, researchers noted that the emails also contain a weaponized Office document designed to execute ReconShark, a popular malware that Kimsuky uses for reconnaissance purposes. This further highlights the group’s motive to gather intelligence which serves to benefit the North Korean regime.
Suggested Correction(s):
With phishing emails being the initial infection vector, users should adhere to the following recommendations:
Link(s):
https://thehackernews.com/2023/06/kimsuky-targets-think-tanks-and-news.html https://www.sentinelone.com/labs/ki...redentials-and-gather-strategic-intelligence/