Security researchers uncovered a cyberespionage campaign linked to North Korean actors, targeting foreign policy experts, journalists, and nongovernmental organizations (NGOs). According to a cyberthreat research report from Proofpoint, the North Korean actors mostly target individuals from North America, Russia, and China. Tracked as Threat Actor 406 (TA406), the campaign reportedly stole users’ credentials and sensitive financial data from high-level officials, law enforcement officers, and experts in economics and finance.
The attackers have targeted the victims by masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for financial gain.
TA406 in Brief
- The North Korea-aligned threat actor TA406 conducted frequent credential theft campaigns targeting research, education, government, media, and other organizations in 2021
- Proofpoint considers TA406 as one of several actors that make up the activity publicly tracked as Kimsuky, Thallium, and Konni Group.
- TA406 doesn’t usually employ malware in campaigns. However, two notable 2021 campaigns attributed to this group attempted to distribute malware that could be used for information gathering.
One Name – Three Groups
Proofpoint stated that TA406 campaigns have targeted users since 2018 and increased their threat activities from January 2021. It’s found that TA406 is also associated with the Kimsuky threat actor group. TA406 usually operates as three separate threat actors—TA406, TA408, and TA427 employing malware and credential harvesting in espionage and information-gathering campaigns. TA406 and TA427 operators are responsible for conducting phishing campaigns.
“TA406 uses its own registered and controlled infrastructure to host credential capture web pages and malicious documents and a limited number of legitimate, compromised websites as infrastructure. TA406 uses Gmail, Yandex, and Mail[.]ru email accounts masquerading as legitimate government or nonprofit entities to distribute lures. TA406 also uses custom message-sending tools such as Star and a PHP-based PHPMailer tool. TA406 uses URLs in phishing emails linking to the SendGrid email delivery service that redirects to an attacker-controlled domain hosting the malicious payload or a credential-harvesting page. SendGrid is an email marketing platform used for legitimate business purposes and is often allowed to bypass email security filters; many threat actors use this type of redirect behavior to appear legitimate,” Proofpoint said.
North Korean Actors Continue to Evolve
State-sponsored actors from North Korea continue to target critical organizations worldwide. Recently, security experts from Kaspersky uncovered two latest supply-chain attack campaigns from the North Korean hacking group – Lazarus. The attackers obtained access to a South Korean security software vendor’s network to exploit the corporate software and a Latvia-based IT asset-monitoring product vendor by deploying Blindingcan and Copperhedge backdoors.