Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime.
In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor.
To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing.
TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active.
Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails.
While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling.
Volume of TA427 phishing campaigns observed between January 2023 and March 2024.
Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea's strategic intelligence collection efforts on US and ROK foreign policy initiatives.
Based on the targets identified and the information sought, it is believed that TA427's goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics.
TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months.
It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection.
TA427 also weaves conversations in multiple email threads between a target's personal and corporate email addresses, likely to avoid security controls on corporate email gateways.
TA427's most impersonated TA427's benign campaign activity tends to impersonate individuals that work in the following verticals: thinks tanks and non-governmental organizations, media, academia, and government.
TA427 usually masquerades as members of think tanks and NGOs to engage targets.
Over the years, Proofpoint researchers have observed TA427 pose as many well-known thinks tanks and NGOs, including the Stimson Center, the Atlantic Council, the Wilson Center, the Ronald Reagan Presidential Foundation and Institute, and the Maureen and Mike Mansfield Foundation, among others.
Further, TA427 tends to rely on one of three methods of impersonation for this activity, specifically DMARC abuse, which will be delved into further in the next section, typosquatting, and private email account spoofing using free email services.
Since December 2023, many of the entities that TA427 has spoofed either did not enable or enforce DMARC policies.
TA427 then uses free email addresses spoofing the same persona in the reply-to field to convince the target that they are engaging with legitimate personnel.
Conclusion TA427 is one of the most active state-aligned threat actors currently tracked by Proofpoint.
With a clear degree of success, TA427 shows no indication of slowing down or losing its agility in adjusting its tactics and standing up new infrastructure and personas with expediency.
This Cyber News was published on www.proofpoint.com. Publication date: Wed, 17 Apr 2024 07:58:05 +0000