Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Kimsuky Uses Permissive DMARC Policies to Spoof Emails

North Korean Hackers Focused on Intelligence-Gathering Depend Heavily on Email
Kimsuky Uses Permissive DMARC Policies to Spoof Emails
North Korean hackers are spoofing domains that have lax DMARC policies. (Image: Shutterstock)

North Korean hackers with an affinity for establishing rapport over email are getting smarter about bypassing anti-spam protections and using tracking pixels, said researchers.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The Pyongyang threat group commonly known as Kimsuky has a history of deploying aggressive social engineering tactics against think tanks, governments and journalists to obtain intelligence on how the external world views the Hermit Kingdom.

Email plays a central role in the threat group's tactics. Kimsuky hackers have used it to lull victims into downloading malware-laced documents but also as a primary intelligence-gathering tool by soliciting analysis from targets in messages where they pose as journalists or think tank staffers. "It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection," said researchers from Proofpoint in a Tuesday blog post, using the designation the U.S. company uses for Kimsuky. The threat group is also known as APT43 and Velvet Chollima.

One way Kimsuky spoofs known organizations is by taking advantage of permissive DMARC policies, Proofpoint said. The Domain-based Message Authentication, Reporting and Conformance protocol is meant to stop email spoofing by letting recipients verify the origin of the email through the domain name system. Email domains with DMARC enabled affix a digital signature to emails and specify which IP addresses can legitimately send mail.

The protocol lets system administrators configure what they propose senders do with emails that fail authentication tests. Options range from rejecting the email to doing nothing - and Kimsuky uses the domains configured with the "do nothing" option to send spoofed emails. The hackers also modify the header display to match the spoofed domain.

Kimsuky has also begun to embed tracking pixels into emails in a bid to track data such as whether the target opened the email, when, and on what device. "The web beacons are likely intended as initial reconnaissance to validate targeted emails are active and to gain fundamental information about the recipients' network environments," the blog post says.

Notable organizations impersonated by Kimsuky include the Stimson Center, the Atlantic Council and the Wilson Center. The Biden administration last November put Kimsuky under financial sanctions, which was a mostly symbolic move since North Korea is already cut off from the international financial system. The U.S. Cybersecurity and Infrastructure Security Agency in 2020 said the group has been operational since 2012. During that time, it has used more than 100 different domains as part of its digital infrastructure.

"The threat actor has established itself as a social engineering expert, ignoring the typos from time to time of course, and has also gotten creative in abusing DMARC to enhance the legitimacy of its campaigns, which isn't something we commonly see being leveraged by APT actors in phishing activity," said Greg Lesnewich, a senior threat researcher at Proofpoint.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.