On June 1, the FBI, the U.S. Department of State and the National Security Agency, together with the Republic of Korea’s (ROK) National Intelligence Service, National Police Agency and Ministry of Foreign Affairs, issued a joint advisory (the Joint Advisory) regarding the recent increased use of social engineering by the Democratic People’s Republic of Korea’s (DPRK or North Korea) state-sponsored cyber actors to gain access to the computer systems of individuals employed by research centers and think tanks, academic institutions, and news media organizations. These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research and communications of their targets.
The Joint Advisory explains that the U.S. government and others are tracking several groups of North Korean cyber actors working to obtain intelligence to provide to the North Korean government. The most prominent of these groups is called “Kimsuky,” which is known to be a state-backed cyber hacking group that targets think tanks, educational institutions and nuclear power plants. The Joint Advisory explains that North Korea relies heavily on intelligence gained by groups such as Kimsuky. Even if the information obtained does not have significant geopolitical value, the North Koreans utilize the information to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets.
When North Korean cyber actors such as the Kimsuky group engage in spearphishing campaigns, they generally perform significant research on their targets and then impersonate an actual person, such as a journalist, who would be expected to legitimately contact the target. The initial email, sent from a spoofed domain, often contains a malicious link or attachment that will allow the North Korean actors to gain access to the target’s computer systems and/or email mailbox if the target clicks on the link or downloads the attachment. In addition to showing several sample emails that the North Korean actors sent in connection with their spearphishing campaigns, the Joint Advisory lists several red flags that universities should be looking for when trying to spot these emails. Notably:
- The emails may include real text of messages recovered from previous victim engagement with other legitimate contacts.
- Emails in English may sometimes have awkward sentence structure and/or incorrect grammar.
- Victims/targets with both direct and indirect knowledge of policy information – i.e., U.S. and ROK government employees/officials working on North Korea, Asia, China or Southeast Asia matters; U.S. and ROK government employees with high clearance levels; and members of the military – are approached with questions about common themes, such as North Korean nuclear issues and denuclearization on the Korean Peninsula.
- Email domains look like a legitimate news media site but do not match the domain of the company’s official website.
- Spoofed email accounts have subtle incorrect misspellings of the names and email addresses of the legitimate ones listed in a university directory or on an official website.
- Malicious documents require the user to click “Enable Macros” to view the document.
- The actors are persistent if the target does not respond to the initial spearphishing email. They will likely send a follow-up email within two or three days of the initial contact.
- Emails purporting to be from official sources are sent using unofficial email services.
Potential Mitigation Measures
The Joint Advisory lists several measures that educational institutions can take to reduce the likelihood that any of its users will be victimized by spearphishing efforts. Those measures include:
- Implementing a user training program and phishing exercises to raise awareness among users about the risks of visiting websites, clicking on links and opening attachments.
- Requiring phishing-resistant multifactor authentication for as many services as possible – particularly for webmail, virtual private networks (VPNs), accounts that access critical systems and privileged accounts that manage backups.
- Regularly using port-checking capabilities to determine if the network is being accessed remotely via desktop-sharing software or a VPN or a virtual private server, particularly if use of remote desktop sharing software or VPN services to access accounts is not standard practice.
- Limiting access to resources over internal networks, especially by restricting remote desktop protocols and using virtual desktop infrastructure.
- Ensuring devices are properly configured and security features are enabled.
- Disabling ports and protocols not in use for a business purpose.
- Reviewing the security posture of third-party vendors and those interconnected with the university, and ensuring that all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Implementing application control policies that allow systems to execute only known and permitted programs.
- Opening document readers in protected viewing modes to help prevent active content from running.
- Installing updates for operating systems, software and firmware as soon as they are released.
- Installing and regularly updating antivirus and anti-malware software on all hosts.
- Requiring administrator credentials to install software.
- Adding an email banner to messages coming from outside the university indicating that they are higher-risk messages.
- Adding rules to block emails that match the sample emails provided in the Joint Advisory.
- Enabling email authentication methods such as DMARC and DKIM on email domains, which generally makes certain forms of email spoofing more difficult.
Universities are no strangers to phishing email campaigns, often seeing several per day. This Joint Advisory should serve as a reminder, however, of what could be at stake if an entity connected with North Korea such as the Kimsuky group gains access to information that the North Korean government can use for geopolitical purposes. Therefore, it is important that universities consider implementing some or all of the measures described above to reduce the likelihood that their users will be victimized. Educational institutions or other entities that believe they may have been targeted by a North Korean spearphishing campaign should go to www.ic3.gov to file a report with the FBI; reference #KimsukyCSA in the incident description.