North Korean Advanced Persistent Threat (APT) groups have carved a unique niche in the cyber warfare landscape. Leveraging unconventional Tactics, Techniques, and Procedures (TTPs), they have effectively met their objectives while distinguishing themselves from other prominent APTs originating from Russia, China, or Iran. This blog will delve into the three distinctive TTPs that characterize North Korean APTs, with a specific focus on their activities during 2023-2024, underscoring the innovative ways these groups have impacted the global cyber threat environment.
1. Advanced Social Engineering Targeting Developers and Job Seekers
North Korean APT groups, such as the infamous Lazarus, have elevated social engineering into an art form, manipulating human trust to orchestrate their cyber-operations. These APTs have evolved beyond mere technical exploits, perfecting methods of deception that entice individuals into compromising their own systems— a stark contrast to the more technical methods employed by their Russian, Chinese, and Iranian counterparts.
Lazarus Group’s Developer Outreach
In 2023, Lazarus Group launched the DEV#POPPER social engineering campaign, which remains active in 2024. This operation specifically targets developers and technology professionals in fields like cryptocurrency, cybersecurity, and online gambling. Posing as recruiters or colleagues, Lazarus initiates conversations on platforms such as GitHub, eventually moving communications to private messaging platforms like WhatsApp to build trust. The attackers invite their targets to clone seemingly legitimate GitHub repositories related to media players or cryptocurrency trading tools. However, these repositories contain malicious Node Package Manager (npm) dependencies, which, once integrated, install malware like BeaverTail to facilitate long-term espionage and data exfiltration.
This DEV#POPPER campaign is adaptive, constantly evolving to target new groups, including job seekers. By using new malware variants and professional-looking lures, Lazarus successfully deceives individuals across various industries, tricking them into downloading malicious attachments.
Kimsuky’s Email Compromise Campaign
In May 2024, Kimsuky, another North Korean APT, exploited weak DMARC (Domain-based Message Authentication, Reporting, and Conformance) email security policies to impersonate trusted entities and conduct phishing campaigns targeting government agencies, think tanks, and high-profile organizations. These phishing emails appeared legitimate due to gaps in DMARC implementation, successfully bypassing traditional email security checks. Once the victim opened the emails, they were tricked into clicking on malicious links or downloading infected attachments, giving Kimsuky access to sensitive systems.
This campaign highlights Kimsuky’s adept use of social engineering, manipulating trust in familiar senders to execute spear-phishing campaigns. By combining email spoofing with human-targeted tactics, Kimsuky was able to infiltrate networks undetected, emphasizing how North Korean APTs blend both technical and social vulnerabilities to achieve long-term espionage.
2. Exploitation of Outdated Vulnerabilities
North Korean APTs, particularly Lazarus Group, are known for their strategic use of older, unpatched vulnerabilities to establish persistent footholds in victim networks. This contrasts with other nation-state actors, such as Russian APTs, which prefer to exploit zero-day vulnerabilities for immediate geopolitical impact, or Chinese APTs, which target supply chains for intellectual property theft. Lazarus Group focuses on exploiting older vulnerabilities in unpatched systems to conduct espionage and financially motivated operations, often staying hidden for months or even years.
Log4j (Log4Shell) Exploit for Long-Term Persistence
In December 2023, Lazarus Group continued to exploit the notorious Log4Shell vulnerability (CVE-2021-44228), specifically targeting unpatched VMware Horizon servers. Despite being publicly disclosed in 2021, many organizations failed to apply the necessary patches, allowing Lazarus to install Remote Access Trojans (RATs), which enabled remote control over compromised systems. Once embedded, Lazarus used these RATs to perform surveillance, data exfiltration, and long-term espionage.
By leveraging tools like SupRemo Remote Desktop alongside custom malware, the threat actor ensured they remained undetected for extended periods, allowing for deeper infiltration and data theft.
CVE-2022-47966 Exploitation in ManageEngine
In early 2023, Lazarus Group targeted CVE-2022-47966, a vulnerability in ManageEngine ServiceDesk Plus, which allowed them to execute arbitrary code on unpatched systems. Although the vulnerability was disclosed in late 2022, many organizations remained vulnerable due to slow patching. Lazarus used this flaw to infiltrate healthcare and internet service providers in the US and UK. After gaining access, Lazarus deployed QuiteRAT, a lightweight malware variant, to maintain control over the compromised networks.
In contrast to Russian APTs, which often opt for high-profile, short-term disruptions through zero-day exploits, Lazarus Group relies on a more patient approach. By exploiting older vulnerabilities, they ensure long-term persistence in compromised environments, making their operations more difficult to detect and mitigate.
3. Financially Driven Cybercrime for State Funding
North Korean APTs, especially Lazarus Group, are notorious for using financially motivated cybercrime, such as cryptocurrency theft, to fund the North Korean regime. These operations not only help bypass international sanctions but also generate critical funds to support state activities. Unlike other nation-state actors, which primarily focus on espionage or geopolitical disruption, North Korean APTs incorporate financial cybercrime as a core part of their operations.
Lazarus Group’s Cryptocurrency Heist
In September 2024, Lazarus Group ramped up their efforts to target cryptocurrency firms, focusing specifically on DeFi (Decentralized Finance) platforms. The FBI issued warnings that Lazarus Group had employed phishing techniques to infiltrate these firms by posing as recruiters or investors on professional networks. These attacks used highly sophisticated social engineering tactics, carefully tailored to mimic legitimate opportunities aimed at key employees involved in cryptocurrency operations.
Once the targeted employees clicked on malicious links or downloaded attachments disguised as job-related documents, Lazarus Group deployed malware that gave them access to the companies' internal systems. From here, they began diverting cryptocurrency funds, extracting digital assets directly from the victims’ wallets. The malware also allowed Lazarus to monitor internal communications and track sensitive financial transactions, ensuring they could steal funds over an extended period without detection.
APT43’s Cryptocurrency Laundering Scheme
In March 2024, Kimsuky successfully laundered $147.5 million worth of cryptocurrency through Tornado Cash, a well-known cryptocurrency mixing service. Tornado Cash is a decentralized platform that obfuscates the origins of cryptocurrency transactions by pooling multiple transactions together and redistributing the funds, making it difficult to trace the source or destination of the funds. Following a breach of the HTX cryptocurrency exchange in late 2023, APT43 used this service to blend stolen assets with other transactions, further complicating investigative efforts.
Cryptocurrency mixers, like Tornado Cash, are tools designed to enhance privacy by anonymizing the flow of digital currencies. These services "mix" the cryptocurrency from different users, making it nearly impossible to link the funds back to their original owners. By employing these mixers, APT43 obscured the origins of the stolen cryptocurrency, effectively evading detection and successfully laundering funds to finance the North Korean regime’s activities.
Conclusion
North Korean APTs exhibit distinct TTPs that set them apart from other state-sponsored actors. Their reliance on financially motivated cybercrime, advanced social engineering, and the exploitation of older vulnerabilities enables them to maintain persistence in target networks and generate crucial funds for the regime. Understanding these behaviors is key to defending against these persistent and evolving threats.
Recommendations:
- Ensure timely patching of vulnerabilities, with a focus on prioritizing critical vulnerabilities identified in the CISA Known Exploited Vulnerabilities (KEV) catalog, to reduce the risk of exploitation by threat actors.
- Strengthen email security by enforcing DMARC policies to protect against email spoofing and phishing attempts.
- Avoid using company-issued computers for personal or non-work activities, as this increases the risk of malware infection and network breaches.
- Be cautious of GitHub repositories with limited updates or no activity. Threat actors often use such platforms to spread malware.
- Job applicants should always verify the legitimacy of companies offering interviews and ensure that interviewers actually work for the company they claim to represent.
- Avoid downloading unfamiliar communication tools or software required for job interviews, as these may contain hidden malware.
- Employers should thoroughly vet job applicants, especially for remote roles. Fake identities are common on job-related social media platforms.
- Regularly train employees on how to recognize social engineering tactics, including phishing and impersonation, to prevent falling victim to these schemes.
Here is a file with the MITRE mapping of the North Korean APTs – referred to above: North Korean APTs MITRE TTTPs.
Here is a file with the IOCs for the two campaigns – referred to above: North Korean campaigns IOCs.
CyberProof clients receive IOCs on an ongoing basis from the Threat Intelligence team, which monitors threat actors' activity and proactively provides clients with operationalized intelligence findings.
