North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

A recent advisory from US government agencies like the FBI, US Department of State, and NSA highlighted the activities of North Korean threat actors, specifically the Kimsuky group, in exploiting vulnerabilities in email policies for espionage purposes. They leverage poorly configured DNS DMARC protocols, which are designed to authenticate emails, to masquerade as legitimate figures such as journalists and academics with expertise in East Asian affairs. The phishing campaigns orchestrated by Kimsuky are meticulously targeted, aiming at individuals like policy analysts and experts. These attacks are part of a broader strategy by North Korea to gain insights into geopolitical events and foreign policy strategies, particularly in countries considered adversaries like the US and South Korea.

To make their phishing emails appear legitimate, the threat actors create fake personas using fake usernames and actual domain names from reputable organizations like think tanks and universities. They exploit weaknesses in DMARC policies, which are intended to prevent unauthorized use of email domains, to ensure their emails reach the intended recipients' inboxes rather than being flagged as spam or blocked.

Security Officer Comments:
Indicators for the campaign include initial benign communications followed by malicious content, emails with awkward English or incorrect grammar, spoofed email accounts with subtle misspellings, and malicious documents that require enabling macros. The threat actors also follow up quickly if there's no response to initial phishing attempts, adding to the urgency of vigilance against these tactics.

Suggested Corrections:
Missing DMARC policies or DMARC policies with “p=none” indicate that the receiving email server should take no security action on emails that fail DMARC checks and allow the emails to be sent through to the recipient’s inbox. In order for organizations to make their policy stricter and signal to email servers to consider unauthenticated emails as spam, the authoring agencies recommend mitigating this threat by updating your organization’s DMARC policy to one of these two configurations:

  • “v=DMARC1; p=quarantine;”
    • “p=quarantine” indicates that email servers should quarantine emails that fail DMARC, considering them to be probable spam.
  • “v=DMARC1; p=reject;”
    • “p=reject” instructs email servers to block emails that fail DMARC, considering them to be almost certainly spam.

In addition to setting the “p” field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as “rua” to receive aggregate reports about the DMARC results for email messages purportedly from the organization’s domain.