Mandiant details prolific North Korean cyber-espionage group
Mandiant has released a new report detailing APT43, a prolific cybercrime group that operates in the interest of the North Korean regime, and how it is using cybercrime to fund its operations.
Mandiant has assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Specifically, Mandiant assesses with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service.
As for what APT43 has done, campaigns attributed to them include strategic intelligence collection aligned with Pyongyang's geopolitical interests, credential harvesting and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.
Having been tracked since 2018, the group's focus on North Korea's foreign and domestic policy reflects the group's responsiveness to shifting priorities from Pyongyang, exemplified by the group's focus on health-related verticals throughout the majority of 2021.
The group's most frequently observed operations are spear-phishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics.
Geographically the group is regionally focused on South Korea, the United States (US), Japan and Europe in various sectors, including government, education/research/think tanks focused on geopolitical and nuclear policy, business services and manufacturing.
With these different targets, Mandiant identified that APT43's activity varied slightly. For example, the use of VENOMBITE (a loader), SWEETDROP (a dropper) and BITTERSWEET (a backdoor) was distinct to APT43 activity targeting South Korea during the COVID-19 pandemic.
Mandiant considers cyber espionage to be the primary mission for APT43, and available data indicates that the group's other activities are carried out to support collecting strategic intelligence.
APT43 operates credential collection campaigns to directly compromise financial data, PII, and client data from entities within the academic, manufacturing, and national security industries, especially in South Korea.
The group has also targeted cryptocurrency and cryptocurrency-related services. However, where other North Korean groups, such as APT38, which is likely primarily tasked with bringing in funds for the regime, APT43 most likely carries out such operations to sustain its own operations.
As for APT43's links to other North Korean espionage operators, Mandiant assesses the groups as distinct and separate and believes that the overlaps are likely the result of ad hoc collaborations or other limited resource sharing.
Looking at APT43's tools, it relies on a relatively large toolkit comprised of both non-public malware and widely available tools. The group has deployed publicly available malware, including gh0st RAT, QUASARRAT and AMADEY, but its activities are much better known for being associated with LATEOP, a backdoor based on VisualBasic scripts.
Mandiant believes that APT43 will remain highly prolific in conducting espionage campaigns and financially motivated activities, barring a drastic change in North Korea's national priorities.
Mandiant also thinks North Korea has become increasingly dependent on APT43's cyber capabilities, particularly due to the group's responsiveness to the demands of Pyongyang's leadership.