Report: North Korean hackers impersonate journalists to gather nuclear intelligence

Report: North Korean hackers impersonate journalists to gather nuclear intelligence
A prolific cyber-espionage group associated with Pyongyang, known as APT43, has attempted to collect sensitive information by posing as journalists. (AFP)
Short Url
Updated 30 March 2023
Follow

Report: North Korean hackers impersonate journalists to gather nuclear intelligence

Report: North Korean hackers impersonate journalists to gather nuclear intelligence
  • ‘Sophisticated’ group linked to Pyongyang known as APT43
  • Targeted US and South Korea organizations, academics, think tanks

LONDON: North Korean hackers are impersonating journalists to gather intelligence about nuclear security policy, according to a new report.

Research published on Tuesday by Mandiant, a cybersecurity firm and a subsidiary of Google, found that in recent months a prolific cyber-espionage group associated with Pyongyang, known as APT43, has attempted to collect sensitive information by posing as journalists.

“Mandiant tracks tons of activity throughout the year, but we don’t always have enough evidence to attribute it to a specific group,” the firm said in a blog post.

“However, as we continue to observe more activity over time and our knowledge of related threat clusters matures, we may graduate it to a named threat actor. Such is the case with APT43.”

The group used the fabricated personas to contact organizations, academics and think tanks mainly in the US and South Korea, to obtain information by enquiring about nuclear security policy and weapons proliferation.

In one instance, the group contacted experts by posing as Voice of America journalists.

One message that appeared to be from a Voice of America correspondent asked an unnamed individual whether they expected Japan to increase its defense budget amid North Korean nuclear tests.

“I would be very grateful if you could send me your answers within five days,” the writer said.

In a similar campaign revealed in March, Mandiant said suspected North Korean hackers also distributed a fake email attachment that appeared to be from a recruiter for the New York Times.

“Anybody could be a victim of this. They’re just incredibly innovative and a scrappy group,” said Sandra Joyce, vice president and head of global intelligence at Mandiant.

In the report, Mandiant said that the hackers used a variety of tactics that focused on “creating numerous spoofed and fraudulent, but convincing personas” and leveraged stolen personally identifiable information to create accounts and register domains meant to look like legitimate websites and boost the credibility of the hackers’ cyber-espionage work.

The hackers also offered to pay scholars hundreds of dollars in exchange for writing research papers.

They also used malicious apps to generate cryptocurrency, steal usernames and passwords and conduct espionage focused on international negotiations about nuclear policy.

Mandiant is confident the group works on behalf of the Reconnaissance General Bureau, North Korea’s primary intelligence service.

“Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea’s weapons program.” This included collecting information about international negotiations, sanctions policy, and other countries’ foreign relations and domestic politics “as these may affect North Korea’s nuclear ambitions,” Mandiant stated in the report.

According to Mandiant, the group is well-funded and has a sophisticated understanding of cyber-espionage techniques, and expects APT43’s activities to continue and even escalate.

The firm warned that organizations should be aware of APT43’s tactics and take steps to protect themselves, including implementing strong security measures and educating employees about the dangers of phishing attacks.