APT-43 Elite North Korean Group

Researchers from Mandiant has spotted a North Korean APT group that uses crypto theft to fund its main goal of cyber-espionage for the Kim Jong-un regime.

To be precise, APT43 is a prolific state actor whose publicly reported activities have been attributed to Kimsuky or Thallium. It is apparently linked to the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service.

The modus of operandi relies on the prolific spear-phishing campaigns, supported by social engineering and spoofed domains and email addresses. Its main targets are South Korean and US-based government organizations, academics and think tanks focused on Korean geopolitical issues.

The group has created many spoofed and fake personas for its social engineering efforts, and sometimes also uses them as cover identities for buying operational tooling and infrastructure.

APT43 be extremely successful with these fake reporter emails, generating high success rates in eliciting a response from targets. Perhaps most interestingly, the group is self-funded, targeting individual victims rather than cryptocurrency exchanges to generate revenue for its state-focused operations, Mandiant claimed.

One such effort used a malicious Android app to target probable Chinese users looking for cryptocurrency loans. Mandiant has also tracked 10 million “phishing NFTs” delivered to crypto users on multiple blockchains since June 2022.

APT43 also uses hash rental and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency. While Mandiant has been tracking the group since 2018, the Google-owned threat intelligence outfit is now designating it as an official advanced persistent threat group.

Mandiant labels major, distinct clearly defined hacking groups as “APTs” for state-backed outfits and “FINs” for financially motivated cybercriminal gangs. But below that level, they also keep tabs on dozens of clusters of hacking activity referred to as “UNCs” where there are lower levels of confidence around attribution or overlap with other identified groups or campaigns.

Once the researchers gather enough telemetry and intelligence about a particular UNC and are confident, they represent a new or distinct group of operators, they will sometimes graduate a cluster to a fully-fledged APT or FIN group.