UNITED24 - Make a charitable donation in support of Ukraine!

Intelligence


APT43 / Kimsuky / Velvet Chollima / Emerald Sleet / THALLIUM

APT43, also known as Kimsuky, Velvet Chollima, and Emerald Sleet (THALLIUM), is considered moderately sophisticated in its capabilities, with social engineering such as spoofed personas, spoofed domains (spear phishing), credential harvesting, and cover identities for purchasing tools and infrastructure. APT43 develops and releases highly customized spear phishing e-mails as an infection vector. APT43’s cryptocurrency laundering techniques – purchasing mining power – makes on-chain transaction tracing impossible.

Mandiant has tracked this group since 2018, and APT43’s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service. APT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods of time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.

The group’s focus on foreign policy and nuclear security issues supports North Korea’s strategic and nuclear ambitions. However, the group’s focus on health-related verticals throughout the majority of 2021, likely in support of pandemic response efforts, highlights its responsiveness to shifting priorities from Pyongyang.

Prior to October 2020, APT43 primarily targeted government offices, diplomatic organizations, and think tank-related entities with a stake in foreign policy and security issues affecting the Korean peninsula in South Korea and the US. From October 2020 through October 2021, a significant portion of APT43 activity targeted on health-related verticals and pharmaceutical companies, most likely in support of COVID-19 response efforts in North Korea. Although it is unclear how any targeted information benefited the regime, cooperation with and across other North Korean cyber operators provides some indication of significant resourcing and prioritization of this effort during the COVID-19 global pandemic.

Throughout this period APT43 espionage campaigns targeting South Korea, the U.S., Europe and Japan were ongoing. Notably, observed APT43 activity varied slightly according to targeting, including differences in malware deployed. For example, the use of VENOMBITE (a loader), SWEETDROP (a dropper), and BITTERSWEET (a backdoor) was distinct to APT43 activity targeting South Korea during the COVID-19 pandemic.

Publicly reported activities attributed to APT43 are frequently reported as “Kimsuky” or “Thallium” and include credential harvesting and espionage activity most likely intended to inform North Korean leadership on ongoing geopolitical developments. Their most frequently observed operations are spearphishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics. Domains masquerading as legitimate sites are used in credential harvesting operations.

APT43 maintains a high tempo of activity, is prolific in its phishing and credential collection campaigns, and has demonstrated coordination with other elements of the North Korean cyber ecosystem. APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.

Espionage targeting is regionally focused on South Korea, Japan, Europe, and the United States, especially in the following sectors: government, business services, and manufacturing, along with education, research, and think tanks focused on geopolitical and nuclear policy. The group shifted focus to health-related verticals throughout the majority of 2021, likely in support of pandemic response efforts.

The group creates numerous spoofed and fraudulent (but convincing) personas for use in social engineering, and also masquerades as key individuals within their target area (such as diplomacy and defense), and leveraged stolen personally identifiable information (PII) to create accounts and register domains. APT43 has also created cover identities for purchasing operational tooling and infrastructure. APT43 buys hash rental and cloud mining services to provide hash power, which is used to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments—in other words, they use stolen crypto to mine for clean crypto.

APT43 most commonly leverages tailored spear-phishing emails to gain access to victim information. However the group also engages in various other activities to support collecting strategic intelligence, including using spoofed websites for credential harvesting and carrying out cybercrime to fund itself. The actors regularly update lure content and tailor it to the specific target audience, particularly around nuclear security and non-proliferation. APT43 is adept at creating convincing personas, including masquerading as key individuals within their target area (such as security and defense), as well as leveraging stolen personally identifiable information (PII) to create accounts and register domains. APT43 uses highly relevant lure content together with spoofed email addresses.

In late 2021, APT43 resumed credential harvesting campaigns against religious groups, universities, and non-governmental organizations (NGOs), providing some indication that these campaigns were targeting "track two" diplomatic channels between North Korea and counterparts in South Korea and Japan. Notably, the activity represented a return to a primary focus on espionage targeting after a temporary focus on COVID-19 related organizations. In early 2022, Mandiant Intelligence observed multiple credential collection campaigns targeting academics, journalists, politicians, bloggers, and other private sector individuals, primarily in South Korea. By mid-2022, credential theft campaigns shifted to targeting South Korean bloggers and social media users associated with South Korean affairs, human rights, academia, religion, and cryptocurrency.

Cyber espionage appeared to be the primary mission for APT43 and available data indicates that the group’s other activities are carried out to support collecting strategic intelligence. The group was primarily interested in information developed and stored within the U.S. military and government, defense industrial base (DIB), and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation. APT43 displayed interest in similar industries within South Korea, specifically non-profit organizations and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information around goods whose export to North Korea has been restricted. This includes fuel, machinery, metals, transportation vehicles, and weapons.

Open sources often include additional operations in public reporting on “Kimsuky” activity. However, Mandiant continues to track these separately, especially those that leverage malware families such as KONNI and related tools CABRIDE and PLANEPATCH. Although these clusters of activity have overlaps with APT43, Mandiant believed that these links were tenuous and the work of a separate group.



NEWSLETTER
Join the GlobalSecurity.org mailing list