The NSA and FBI warned that the APT43 North Korea-linked hacking group exploits weak email Domain-based Message Authentication Reporting and Conformance (DMARC) policies to mask spearphishing attacks.
Together with the U.S. State Department, the two agencies cautioned that the attackers abuse misconfigured DMARC policies to send spoofed emails which appear to come from credible sources such as journalists, academics, and other experts in East Asian affairs.
"The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets' private documents, research, and communications," the NSA said.
The United States-sanctioned Reconnaissance General Bureau (RGB), North Korea's main military intelligence organization, is behind a broad range of intelligence collection and espionage activities coordinated by the subordinate APT43 state threat group, also tracked as Kimsuky, Emerald Sleet, Velvet Chollima, and Black Banshee and active since at least 2012.
The aim is to retain up-to-date intelligence on the United States, South Korea, and other countries of interest to support North Korea's national intelligence goals and hinder any perceived political, military, or economic threat to the regime's security and stability.
As the NSA and the FBI first revealed last year, APT43 operatives have been impersonating journalists and academics for spearphishing campaigns, targeting think tanks, research centers, academic institutions, and media organizations in the United States, Europe, Japan, and South Korea since 2018.
"Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts," the agencies added in a joint advisory [PDF] published this week.
"Successful compromises further enable Kimsuky actors to craft more credible and effective spearphishing emails, which can then be leveraged against more sensitive, higher-value targets."
Mitigation measures
In these attacks, they exploit missing DMARC policies or DMARC policies with "p=none" configurations, which tell the receiving email server to take no action on messages that fail DMARC checks.
This allows APT43's spoofed spearphishing emails using social engineering and content from previously compromised to reach the targets' mailboxes.
To mitigate this threat, the FBI, U.S. Department of State, and the NSA advise defenders to update their organization's DMARC security policy to use "v=DMARC1; p=quarantine;" or "v=DMARC1; p=reject;" configurations.
The first instructs email servers to quarantine emails that fail DMARC and tag them as potential spam, while the second tells them to block all emails that fail DMARC checks.
"In addition to setting the 'p' field in DMARC policy, the authoring agencies recommend organizations set other DMARC policy fields, such as 'rua' to receive aggregate reports about the DMARC results for email messages purportedly from the organization's domain," the agencies added.
Comments
PK232 - 6 months ago
I would like to configure my DNS records to reject email that fail DMARC, but I do not dare. There are too many domains that show my emails as failing DKIM when in fact there is nothing wrong with the emails and the way I have implemented DKIM. Microsoft email domains come immediately to mind. There are also still problems with the way email might be forwarded that are out of my control which result in DKIM failure. For the time being my DNS records will continue to show p=quarantine since that seems to allow DKIM failures to pass through unhindered, i.e., not quarantined. When DMARC reports never show failures for legitimate emails, I will reconsider rejection.
Wannabetech1 - 6 months ago
I've always thought it funny when NSA warns of such things as if they are the big heroes.