Priya Patel
TLDR:
North Korean hackers are abusing DMARC to legitimize their phishing emails, targeting experts on U.S. and South Korean foreign policy. They utilize social engineering tactics and web beacons for target profiling. The goal is to gather intelligence on negotiation strategies, rather than for profit.
Article Summary:
North Korean hackers have been found to abuse DMARC (Domain-based Message Authentication Reporting and Conformance) to make their phishing emails appear legitimate. This tactic helps them evade email authentication protocols and allows them to mimic authentic senders, leading to more successful phishing campaigns aimed at stealing data or making money. The North Korean state-aligned group TA427 has been specifically tracked for conducting phishing campaigns targeting experts on U.S. and South Korean foreign policy. These campaigns involve soliciting opinions from experts on various topics related to foreign policy, nuclear disarmament, and sanctions. By engaging targets through innocent conversations and rotating aliases, TA427 builds rapport to solicit opinions and analysis from their targets.
TA427 implements various tactics to make their phishing emails appear legitimate, including shifting conversations between email addresses and impersonating think tanks, NGOs, media outlets, and other organizations. In addition, they use web beacons to perform reconnaissance on the victim’s active email and their environment to gather more information. The ultimate goal of TA427 appears to be intelligence gathering to inform negotiation strategies, rather than financial gain.
Researchers have observed a steady stream of activity from TA427, indicating that they are constantly adapting their tactics to target experts and gather information. By abusing DMARC and using social engineering tactics, TA427 aims to build relationships with targets and solicit valuable insights without directly delivering malware or harvesting credentials. This approach allows them to gather intelligence and improve their targeting for future engagements.
Overall, the abuse of DMARC by North Korean hackers highlights the importance of being vigilant and implementing strong email security measures to protect against phishing attacks and data theft.
