The North Korea-affiliated group Kimsuky’s email attacks targeted research and media organizations.
A bilateral coalition of security agencies issued a new cybersecurity advisory on Friday morning, warning of North Korea state-sponsored actors posing renewed social engineering hacking threats.
Law enforcement agencies within the U.S. and South Korea — including the FBI, the U.S. Department of State, the Republic of Korea’s National Intelligence Service and the Ministry of Foreign Affairs — warned of the DPRK cyber group identified as Kimsuky targeting individuals employed by research centers and think tanks, academic institutions and news media organizations.
Kimsuky hackers aim to gather intelligence from these entities primarily through social engineering, which refers to using deception to manipulate and exploit human error. The advisory specifies that spear phishing is one of Kimsuky’s most common tactics, particularly in the form of malicious emails that lead to compromising network security.
“North Korea relies heavily on intelligence gained by compromising policy analysts,” the advisory reads. “For over a decade, Kimsuky actors have continued to refine their social engineering techniques and made their spearphishing efforts increasingly difficult to discern.”
One notable tactic Kimsuky uses is impersonating popular journalists and news outlets through mimicked email addresses. From there, malicious actors tend to send a link falsely claiming to be an article or news report, which contains password-protected documents that help hackers evade antivirus software.
The advisory provides specific templates Kimsuky has been known to utilize, as well as recommending several cybersecurity practices to avoid a successful spearphishing attempt. These include limiting access over internal networks, assessing risks, ensuring proper device configuration and updating antivirus software.
This latest advisory follows escalating geopolitical tensions between the U.S. and North Korea, China and Russia, which have manifested into mounting incidents and industry concerns over state-sponsored cyberthreats.
Earlier in May, the Five Eyes — a security alliance consisting of the U.S. Australia, New Zealand, Canada and the United Kingdom — issued a similar advisory warning of Volt Typhoon’s hacking endeavors.
Volt Typhoon was found to have links to the government of China and targets critical infrastructure operations.