Espionage campaigns of North Korean hackers intensifies

December 13, 2021
Espionage Campaigns North Korean Hackers Asia Malware Attacks Threat Actors TA406

Recently, a North Korean threat actor named TA406 has increased the number of their attacks this year. According to reports, they focus their attacks, particularly in credential exfiltration campaigns.

The researchers identified multiple malicious threat groups such as Konni, Kimsuky, and Thallium that might be linked to TA406, targeting numerous governments, media, research, healthcare, industries, and education sectors. According to a cybersecurity firm, TA406 is most likely affiliated with the Kimsuky group’s operations since they tracked three different actors named TA427, TA408, and TA406.

 

The North Korean group suddenly increased the espionage campaigns this year.

 

In addition, the cybersecurity analysts tracked TA406’s campaigns targeting customers in 2018 with a low volume of threat attacks, but it changed at the beginning of 2021. They added that ever since the year started, threat attacks from these groups significantly increased.

The cybersecurity firm has identified weekly threat attacks targeting journalists, foreign policy experts, and non-government organisations (NGOs) for the year’s first half. The threat group is also keen on committing activities that will impact the Korean Peninsula, especially journalism and academics.

Moreover, TA406’s attack last March has left an impact on many targets. They have targeted high-tier officials at government institutions, defence firms, law enforcement authorities, consulting firms, economic organisations, and finance. More importantly, TA406 is concentrating their attacks against Russia, China, and the continent of North America.

Although this Korean threat group started in 2012, they were not the type of gang that used malware in their campaigns. However, a notable change happened this year’s start since many of their attacks are now focused on malware injecting and credential exfiltration.

Malware variants such as Amadey, BabyShark, CarrotBall, Fatboy, Konni, NavRAT and many more are now used by this Korean cybercrime group in their attacks. Cybersecurity researchers stated that these North Korean state-sponsored actors, especially the TA406, have been engaged in financially motivated attacks, including cryptocurrency mining and sextortion.

Lastly, the cybersecurity firm observing the North Korean affiliated group stated that these actors would continue a high-volume attack against corporations and organisations. The security firm is also aware that the threat actors will use more credential theft operations to target entities that will significantly benefit the North Korean government.

About the author