The Federal Bureau of Investigation, National Security Agency and the U.S. Department of State have issued a joint cybersecurity advisory warning of state-sponsored email hack attacks that evade authentication security measures.
The attackers have been identified as APT43, a hacking group linked to the North Korean military intelligence agency. APT43, also known as Kimsuky, has been using email authentication bypass as a means to impersonate journalists, researchers and other academics as part of coordinated spear-phishing campaigns designed to “provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts.”
Joint Cybersecurity Advisory Reveals Details Of North Korea Hacking Campaign
In Joint Cybersecurity Advisory JCSA-20240502-001 national security and intelligence agencies warn not only anyone who might be a potential target but any email user of the dangers of the state-sponsored North Korean Kimsuky malicious hacking group. Kimsuky, as part of North Korea’s military intelligence cyber program, is tasked with helping to maintain “consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any perceived political, military, or economic threat to the regime’s security and stability,” according to the JCSA authors.
Specifically, the APT43/Kimsuky group is line-managed, so to speak, by North Korea’s military intelligence 63rd Research Center which has been known to U.S. intelligence agencies since 2012. The primary mission of Kimsuky would appear to be to compromise expert targets such as policy analysts in order to attain data offering valuable geopolitical insight. In which case, you might be thinking, why should this FBI warning worry anyone else? Simply put every successful attack, even the most basic of phishing campaigns, can help build better attacks yet to come. In particular the crafting of the most credible emails in spearphishing attacks that focus on high-value targets holding the most sensitive of data. Why it should bother you, apart from the obvious national security reasons, is the method being employed by the attackers which can leverage your misconfigured email authentication settings.
Misconfigured DMARC Records Allow Malicious Email Spoofers Free Reign
Domain-based Message Authentication, Reporting and Conformance is one of those things most email users have never heard of, but everyone with their own email server really needs to have done. There’s a reason that Google has recently implemented new email authentication rules that will see non-authenticated messages from bulk senders to Gmail addresses returned unopened. That reason is to reduce the amount of spam and, in turn, reduce the potential for that spam to be carrying malicious content to Gmail users. Although spearphishing campaigns would not trigger the Gmail sender limits, the same authentication technology is what is being bypassed by the Kimsuky attackers. So how are they doing it?
First, you need to understand that DMARC is a security protocol that enables a receiving email server to know if the email originated from where it claims. In other words, DMARC authenticates that a message has not been spoofed but does come from the person, or at least the organizational email domain, it claims. It’s actually very good at doing this, apart from when it isn’t. The DMARC policy will instruct the receiving email server what to do with that message after first checking that the associated Sender Policy Framework and DomainKeys Identified Mail authentication records are a match. The DMARC policy itself can configured so as to send the email on to the recipient’s inbox, mark it as spam or reject it totally.
This is where Kimsuky comes in. They exploit the fact that many DMARC policies have been left blank or marked as no action to be taken if an email fails the tests, as there’s a p=none modifier to show no policy exists. The JSAC itself includes a number of real-world examples of emails sent by Kimsuky. After warning that Kimsuky campaigns will start with a broad reconnaissance phase, the advisory states that “content from emails of previously compromised email accounts” are also used to enhance the authenticity of the communication. Kimsuky will create fake usernames but use legitimate domain names in order to spoof individuals from organizations such as think tanks and higher education institutions. These emails don’t come from the actual organization’s domain but the hacker-controlled email address and domain instead. And all because DMARC policy was found to be lacking.
Do This 1 Thing Now To Mitigate Kimsuky Attack Threat, FBI Urges
The FBI and NSA advisory urges all email users to act on one piece of mitigation advice that could help prevent such attacks from succeeding. That advice follows on from recent moves by Google to protect users of the Gmail service from spammers by demanding bulk emails use domain authentication protections.
The new Gmail rules are to be applauded, but all email users have been advised by the FBI and NSA to take one action immediately: update your or your organization’s DMARC security policy.
To do this, you should ensure that your DMARC policy, which can be edited within your email domain’s DNS settings, is one of two configurations: “v=DMARC1; p=quarantine,” which instructs the email server to quarantine emails that fail DMARC testing as spam or “v=DMARC1; p=reject,” which tells the server to reject or block the email. If you only use a web service such as Gmail, and don’t have a custom domain, then you need not be concerned. Everyone else, though, should check with their IT team or web hosting company and ensure that the DMARC policy is properly configured.
“Spearphishing continues to be a mainstay of the DPRK cyber program,” NSA cybersecurity director Dave Luber said, “and this CSA provides new insights and mitigations to counter their tradecraft.”
