Mandiant identifies new North Korea state-backed hacking group
Researchers have identified a new state-backed hacking group in North Korea: APT43.
Driving the news: Mandiant, a threat intelligence firm owned by Google, said in a report today that APT43 has been engaging in espionage campaigns to support the North Korean regime.
- APT43 also appears to target cryptocurrency firms and services and uses the profits to fund its espionage operations, the report states.
- The group typically targets organizations in South Korea and the United States, with a special focus on government, business services, manufacturing and education and research groups.
The big picture: Mandiant has "moderate confidence" that APT43 is specifically linked to North Korea's foreign intelligence service.
- Mandiant has been tracking this gang's activities since 2018, and today's report officially elevates the group to an official state-backed hacking group.
Of note: Other companies refer to the group as "Kimsuky" or "Thallium" in their reports. Each cyber research firm uses its own naming conventions for identifying hacking groups.
Details: APT43 engages in two types of cyber activity: Spear-phishing email campaigns to harvest specific targets' credentials and high-value research, and cryptocurrency firm hacks to get funds for its own operations.
- In the spear-phishing attacks, APT43 poses as reporters and researchers to trick employees at U.S. defense and research organizations, as well as South Korea-based think tanks, into clicking on a malicious email link or responding with key intel.
- APT43 has been seen using cryptocurrency services to launder stolen currency, suggesting the group has been involved in the string of recent attacks.
Threat level: Unlike other state-backed hacking groups, APT43 has yet to be seen exploiting critical, unknown vulnerabilities in systems.
- However, the group continues to maintain "a high tempo of activity" and has collaborated with several North Korea state-backed hacking groups.
Sign up for Axios’ cybersecurity newsletter Codebook here