New North Korean APT launders crypto to fund spying programmes

Threat researchers at Google Cloud’s Mandiant have attributed a campaign of cyber criminal activity out of North Korea to a newly designated advanced persistent threat actor, APT43, in its first official “upgrade” in six months.

Mandiant said APT43 was a prolific threat actor operating on behalf of North Korea’s regime, and like many other groups operating from the impoverished and isolated state, its stock-in-trade is financially motivated cyber crime.

Its researchers have been tracking the group’s activity since 2018, poring over reams of research data and connecting the dots between various incidents, but only now has it gathered enough evidence to be able to make a formal attribution.

APT43’s priorities align with the mission of North Korea’s foreign intelligence unit, the Reconaissance General Bureau (RGB), and its primary focus is the laundering of cryptocurrency to buy operational infrastructure in such a way that it reduces the need for central government to spend much-needed funds. This aligns with the state’s Juche ideology of self-reliance.

Its targeting has heretofore been mainly against targets in South Korea, Japan, Europe and the US in a wide range of sectors, including government, business and manufacturing. Like many other North Korean advanced persistent threats (APTs), it also targets educational and research institutions, and organisations such as political thinktanks that deal in regional geopolitics and especially nuclear policy.

“In Europe, concerns for this group should be focused more on the espionage side than on revenue-generation activities, which have been more common in the US,” said Mandiant principal analyst Michael Barnhart.

“During the pandemic, parts of APT43 had secondary objectives to acquire Covid-19 vaccine-related information in addition to their mandate surrounding strategic nuclear and foreign relations efforts, so we saw them target thinktanks and policy-making organisations, foreign relations entities, and governing bodies in Europe to try to achieve this goal.

“We’ve also seen the group posing as journalists to inquire into matters of intelligence interest to the DPRK regime, targeting European organisations. Some of these information-seeking messages contain no payloads and are simply meant to establish a rapport, but others have malware-laden documents or links in the form of a news questionnaire to send back to the attackers,” said Barnhart.

"We’ve seen APT43 be extremely successful with these fake reporter emails, generating high success rates in eliciting a response from targets. This serves as a reminder to verify the addresses and identities of the people you’re speaking to.”

APT43 deploys phishing emails and social engineering tactics to compromise its victims, and does not seem to be actively interested in zero-day exploits, said Mandiant.

The group has been observed creating numerous spoofed or outright fraudulent personas that it uses in social engineering, and its operatives often present themselves as key individuals in their target area, such as high-profile diplomats or geopolitical analysts.

“We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously developing operations reflect the country’s sustained investment and reliance on groups like APT43”

It uses stolen personally identifiable information (PII) on such individuals to create convincing accounts and domains to fool their targets.

It also creates cover identities for purchasing operational tooling and IT infrastructure for its paymasters.

Where it does use malware, APT43 has been observed using a relatively large toolkit of publicly available tools, including gh0st RAT, QUASARRAT, AMADEY and the LATEOP VisualBasic backdoor, but has also been seen developing its own variants in-house, notably an Android-variant of the PENCILDOWN Windows-based downloader.

Ultimately, APT43’s goal seems to be to use the cryptocurrency it steals to buy hash rental and cloud mining services to provide hash power, which it then uses to mine cryptocurrency to a wallet selected by itself without any blockchain-based association to its original payments. Effectively, it launders cryptocurrency by using stolen funds to create clean funds.

Mandiant said the group was clearly self-supporting and able to fund its own operations, and that barring a drastic change in North Korea’s priorities, or the downfall of its regime, would remain prolific in carrying out espionage campaigns and financially motivated activities in support of its goals.

“We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously developing operations reflect the country’s sustained investment and reliance on groups like APT43,” the research team concluded.

“As demonstrated by the group’s sudden but temporary shift towards healthcare and pharmaceutical-related targeting, APT43 is highly responsive to the demands of Pyongyang’s leadership.

“Although spear-phishing and credential collection against government, military and diplomatic organisations have been core taskings for the group, APT43 ultimately modifies its targeting and tactics, techniques and procedures to suit its sponsors, including carrying out financially motivated cyber crime as needed to support the regime,” they added.

More information on APT43, including indicators of compromise (IoCs), can be downloaded here.