Kimsuky Exploits Lax DMARC Policies to Craft Convincing Email Spoofs


North Korean cyber operatives, known for their sophisticated email engagement tactics, are advancing their methods to circumvent anti-spam measures and incorporate tracking pixels, according to cybersecurity experts.

Researchers identify the group behind these activities as Kimsuky, a notorious Pyongyang-based threat group. This group has gained infamy for its sophisticated social engineering attacks targeting think tanks, governmental bodies, and journalists to gather insights on global perceptions of North Korea.

Central to Kimsuky's strategy is the strategic use of email. The group not only uses emails to distribute malware through seemingly innocuous documents but also employs it as a key tool for intelligence collection. Posing as journalists or think tank employees, they request analyses from their targets, extracting valuable intelligence directly through communication. Researchers from the cybersecurity firm Proofpoint highlight that Kimsuky, also known by other aliases such as TA427, APT43, and Velvet Chollima, often achieves its intelligence goals through direct inquiries rather than relying solely on malware.

A significant part of their strategy involves exploiting weak Domain-based Message Authentication, Reporting and Conformance (DMARC) policies. DMARC is designed to prevent email spoofing by enabling the recipient to verify the sender’s authenticity via the domain name system. By targeting email domains configured to take no action on failed authentication checks, Kimsuky effectively sends deceptive emails under the guise of legitimate organizations.

Additionally, Kimsuky has recently started embedding tracking pixels in emails. These pixels help the hackers confirm if the email has been opened, the exact timing, and the device used by the recipient. This tactic serves as an initial reconnaissance tool to assess the validity of the target email addresses and gather preliminary data about the recipients' network environments.

Prominent institutions such as the Stimson Center, the Atlantic Council, and the Wilson Center have been impersonated by Kimsuky in their phishing campaigns. Despite being placed under financial sanctions by the Biden administration in November last year—an action largely symbolic given North Korea’s existing isolation from the international financial system—Kimsuky continues its operations. The U.S. Cybersecurity and Infrastructure Security Agency reports that the group has been active since 2012, utilizing over a hundred different domains in its cyber operations.

Greg Lesnewich, a senior threat researcher at Proofpoint, notes the group’s prowess in social engineering and its innovative abuse of DMARC protocols. He points out that such manipulations are unusually sophisticated for APT (Advanced Persistent Threat) groups involved in phishing activities, underscoring Kimsuky’s unique approach to cyber espionage.

Post a Comment