Suspected North Korean cybercrime group uses hacking to target intel and cash

Google cybersecurity affiliate Mandiant on March 28 revealed North Korean cybercrime group APT43 had been using a variety of tactics in the service of both espionage and financial gain.

North Korea might not be the first country one would think of when it comes to sophisticated cyberattacks, but as Korea Risk Group analyst Nils Weisensee told IT Brew, that question is mooted by the fact that today anyone with access to the internet can find everything they need to effectively attack nearly any system.

“All the information is out there, all the materials, all the intel, all the knowledge that you need to learn in order to break into systems is available on the internet for anybody who knows how to look,” Weisensee told IT Brew.

Dexterity stats. APT43 is “agile” and “creative,” according to Weisensee, but most importantly, patient—giving them the ability to invest days, weeks, and even years into social engineering their targets.

“It’s become much, much harder to assess whether a request from somebody is malicious or not, simply because it could take weeks of conversation before they ever send any malware your way,” Weisensee said.

APT43’s combination of malware and relationship-building strikes Ethan Schmertzler, CEO of industrial security firm Dispel, as particularly clever, and raises the stakes of the attacks. By going after people—using dummy accounts, pretending to be researchers and reporters, and the like—rather than systems, the group is aiming at softer targets.

“Humans make mistakes, despite the best security systems,” Schmertzler told IT Brew.

Play it safe. Schmertzler told IT Brew that APT43’s actions mainly fall into relatively predictable espionage patterns. The gang uses a mix of social engineering and malicious code to access information—mainly related to nuclear weapons and treaties. What sets APT43 apart from other, similar groups around the world is the gang’s focus on making money.

“They’re trying to get money and get funds that they can then use to buy equipment that they can use to launder money,” he said.

Schmertzler believes that IT teams working on critical infrastructure should be on high alert for this group. Luckily, US government policy has shifted toward greater protections for the networks around these important industrial frameworks.

“Those are all positive indicators,” Schmertzler said.—EH