Meet APT43, the newest North Korean threat

source: Axios, contributed by FAN Bill Amshey  |  image:


Researchers have identified a new state-backed hacking group in North Korea: APT43.

Driving the news: Mandiant, a threat intelligence firm owned by Google, said in a report today that APT43 has been engaging in espionage campaigns to support the North Korean regime.

  • APT43 also appears to target cryptocurrency firms and services and uses the profits to fund its espionage operations, the report states.
  • The group typically targets organizations in South Korea and the United States, with a special focus on government, business services, manufacturing and education and research groups.

The big picture: Mandiant has “moderate confidence” that APT43 is specifically linked to North Korea’s foreign intelligence service.

  • Mandiant has been tracking this gang’s activities since 2018, and today’s report officially elevates the group to an official state-backed hacking group.

Of note: Other companies refer to the group as “Kimsuky” or “Thallium” in their reports. Each cyber research firm uses its own naming conventions for identifying hacking groups.

Details: APT43 engages in two types of cyber activity: Spear-phishing email campaigns to harvest specific targets’ credentials and high-value research, and cryptocurrency firm hacks to get funds for its own operations.

  • In the spear-phishing attacks, APT43 poses as reporters and researchers to trick employees at U.S. defense and research organizations, as well as South Korea-based think tanks, into clicking on a malicious email link or responding with key intel.
  • APT43 has been seen using cryptocurrency services to launder stolen currency, suggesting the group has been involved in the string of recent attacks.

Threat level: Unlike other state-backed hacking groups, APT43 has yet to be seen exploiting critical, unknown vulnerabilities in systems.

  • However, the group continues to maintain “a high tempo of activity” and has collaborated with several North Korea state-backed hacking groups.