OP 04 December, 2024 - 11:05 AM
![[Image: north-korean-hackers.webp]](https://i.ibb.co/d7G1zHb/north-korean-hackers.webp)
Actors linked to North Korea, known as Kimsuky, have been linked to a series of phishing attacks aimed at stealing credentials via emails sent from addresses registered in Russia. According to South Korean cybersecurity firm Genians, the phishing emails were initially sent from Japanese and Korean email services, but phishing emails masquerading as being sent from Russia began to appear in mid-September 2024.
Mechanism of the attacks:
Some of the phishing attacks imitated MYBOX, a cloud storage service from Naver, attempting to trick users into clicking on links by creating a false sense of urgency: malicious files had allegedly been found in their accounts and needed to be deleted immediately.
Phishing emails linked to MYBOX began to spread in late April 2024. Initially, the messages were sent from domains registered in Japan, South Korea, and the United States. Later, the attackers began using Russian domains such as "mmbox[.]ru" and "ncloud[.]ru".
Use of compromised servers and legitimate tools
Interestingly, Kimsuky used compromised servers to send messages. In one case, as research showed, messages were sent from Evangelia University servers (domain evangelia[.]edu). The mailings were sent using the PHP-based Star mail service, which is a known tactic of this group. This method was previously documented by security experts such as Proofpoint in November 2021.
Attack targets and long-term consequences
The main goal of these attacks is to steal victims' credentials, which allows the attackers to take over their accounts and use them for further attacks on other employees or acquaintances. Kimsuky has already proven itself to be an expert in conducting email phishing attacks, using social engineering and sender spoofing to make their messages appear legitimate and trustworthy. This allows the attackers to bypass security checks.
In addition, earlier this year, US authorities noted that the Kimsuky group uses "misconfigured DNS DMARC records" to disguise their social engineering attacks. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication mechanism that helps prevent sender spoofing.