Headline
North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks
How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.
Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift
September 20, 2024
5 Min Read
Source: Brian Jackson via Alamy Stock Photo
COMMENTARY
With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.
A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea’s Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.
With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.
Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group
DMARC Misconfigurations Are Too Common
Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.
This is how it’s supposed to work: DMARC allows email recipients to verify an email’s origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.
But as Kimsuky’s attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.
Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts
What North Korea’s Attack Looks Like
Kimsuky’s spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.
The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.
One real-world example from the FBI-NSA advisory had a subject line reading: "[Invitation] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: “I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the [legitimate think tank] to discuss the U.S. policy toward North Korea.” As further inducement, the email also offers a $500 speaker’s fee.
Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection
Another email had the subject line “Questions about N. Korea,” with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea’s nuclear activities.
In the university example, the email received a “pass” from SPF and DKIM checks, suggesting the attacker gained access to the university’s legitimate email client. And although DMARC returned a “fail” because the sender’s email domain differed from SPF and DKIM records for the legitimate source, the organization’s DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist’s name and the news organization’s email domain.
Why DMARC Matters
The US government’s advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.
Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.
Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI’s May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17.
There’s a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization’s cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.
About the Author
Managing Director, Resilience Strategy, Red Sift
Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.