Posted on November 11, 2021 at 8:40 PM
A recent report revealed that a North Korean hacking syndicate has been attacking think tanks in the south by planting malware in blog posts.
The report noted that the state-sponsored advanced persistent threat (APT) group is responsible for the series of attacks. They launch attacks on the victims’ systems by planting surveillance and theft-based malware on their machines.
Researchers from Cisco Talcos stated that the Black Banshee (also called Thallium or Kinsuky APT) are planting malicious Blogspot content. They are using it to lure South Korean-based think tanks whose research focuses on military, diplomatic, and political topics concerning China, North Korea, the US, and Russia. The APT is specifically targeting aerospace and geopolitical organizations, according to the report.
The Group Is Also Targeting US Organizations
The researchers also stated that the threat actors have been active since 2012. In 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on the APT. At the time, the agency stated that the hacking syndicate is sponsored by the North Korean government using “global intelligence gathering” to target their victims. The group has also targeted organizations in the US and Japan.
According to security researchers at AhnLab threat actors have used research documents questionnaires, and compensation forms in the past as phishing lures. And according to Talos, threat actors still use malicious Microsoft Office documents as attack vectors. Generally, they include malicious VBA macros in the documents, and the payloads are downloaded from Blogspot when they are triggered.
The research team also noted that the blog posts deliver three types of malicious content. These are based on the Brave Prince/Dragon malware family which includes implant deployment scripts, file stealers, and initial beacons.
The former is specifically designed to plant endpoints and launch more malware components, including information stealer and keylogger.
Kinsuky Uses A Different Threat Approach
Other APTs generally try to infiltrate the system and steal any content or info they find in the compromised machine. However, Kinsuky works differently. The threat actors prefer scanning for specific information that is of interest to them. This means they are more effective since they know what they are looking for.
These include content related to denuclearization, rocket designs, North Korea, and the relationships between the US and China. Additionally, they scan specifically for material science, fluid mechanics, and aviation fuel research.
“The attackers knew exactly which files they were looking for,” Talos stated.
It shows that they have a deep knowledge of their targets endpoints which were obtained from previous espionages.
The Talos team has alerted Google of their finding and the blog contents have since been deleted from Blogspot.
The researchers also noted that the Kinsuky threat group has continuously created new infectious chains to deliver different types of malware to their victims.
Such type of targeted attack can lead to the leak of restricted research. It can also lead to destructive attacks on target organizations as well as unauthorized access to espionage.
Hackers Looking For Covid-19 Vaccine Manufacturing Data
In a related development, North Korean hackers have been discovered targeting healthcare companies involved in the manufacturing of Covid-19 vaccines. The threat actors were discovered trying to steal information related to Covid-19 vaccines from a multinational life sciences company.
This is coming despite North Korea claiming there are no Covid-19 cases In the country. And recently, it declined three million vaccine dozes offered by UNICEF.
The life sciences company, which has not been named, is a client of Secureworks. It was hacked via a supply-chain attack similar to the SolarWinds hacking incident.
Earlier this year, South Korea’s National Intelligence Service (NIS) refuted the claim that Pfizer had been hacked.
Secureworks discovered that the threat actors had access to an unnamed client’s network via a managed service provider (MSP). However, they were caught before they could steal any information from the system.
North Korea has always been accused of sponsoring hackers to gain information on research materials. They have also used these hackers to fill its cash-strapped coffers. However, the recent targeting of South Korean think tanks and sciences companies does not seem to have a financial motive.