CyberWire Daily - The art of information gathering. [Research Saturday]
Episode Date: April 20, 2024Greg Lesnewich, senior threat researcher at Proofpoint, sits down to discuss "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering." Since 2023, TA427 has directly solicited ...foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. The research states "While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling." The research can be found here: From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
So this group is, to be totally honest with you, one that I inherited and has been tracked in our space, call it the vendor threat research space, since roughly 2017, but probably going back further than that.
That's Greg Lesnowich, senior threat researcher at Proofpoint. The research
we're discussing today is titled From Social Engineering to DMARC Abuse, TA427's Art of
Information Gathering. And you can sort of think about it as the West team or the cluster of activity from the Kimsuki umbrella, if we want to use that term, that targets people like policy experts that work either in government or for NGOs or think tanks.
And they send a lot of phishing emails to those people.
And so they've been around for a long time.
We observed some changes in their tactics and in their targeting.
And that led to the blog saying,
Hey, we think we've seen enough of a change that we should alert the general public.
And part of that comes from the fact that they tend to target a lot of personal addresses and
groups and companies that don't necessarily have the
most mature
or high-end security programs. And so sometimes
getting information out to alert
that sort of policy and think tank and North Korean watching
space can be the best thing to help prevent this group from being successful in their operations.
And you mentioned North Korea. I mean, we're fairly confident in saying here that this is
an operation from them. Yes. A big portion of that comes from U.S. government attribution of previous things
that we've tracked from this cluster. I would say that there is consensus among those that
track North Korean activity full-time that this is also North Korea. I see. Well, let's talk about what their particular
interests are here. I mean, who are the kinds of people that they're targeting? The kinds of people
they're targeting, I think, can really be well described by the kind of people they spoof.
Because the kind of people they spoof tend to be very well-known North Korean watchers, if that's a term that rings a bell for anybody.
And they'll spoof prominent people in the North Korean policy space and not people in North Korea
doing policy, but particularly people based in the US who have insight or potentially can
contribute to policies that would affect North Korea.
And so they target individuals that have some idea, can inform those policies,
or have particular analytical skills that could provide some insight for North Korea
about what those policies will be.
And so something like, you know, there's sort of a steady drumbeat of this activity that is targeting these people all the time.
And part of that is to, we believe, is for the group to sort of stay in touch with the heartbeat of what the North Korean community is, you know, caring about.
And some of it is then more particular in its engagement.
And a lot of that just derives from, hey, South Korea
announces that they are removing the
reunification language from their constitution.
TA-427 will then come and ask experts and say,
is this actually going to affect policy or is this just sort of a TA-427 will then come and ask experts and say,
is this actually going to affect policy or is this just sort of a stance change?
They won't ask it as elegantly as I just said it or as basically as I've just said it.
But they tend to have, in my opinion, what they're interested in can be very well derived from the questions they ask in their emails.
And those almost always go to people in government, but more so to people at think tanks and NGOs
in those sort of spaces.
And occasionally, we don't have necessarily the data to say that it's going to a ton of
journalists.
But given that they spoof journalists a good amount of times, we would expect that journalists who write about North Korea a lot are also targeted.
So is it fair to say this is a collegial exchange where they'll reach out to someone and say,
hey, you're an expert on North Korea's nuclear disarmament.
Good news.
So am I.
Let's talk shop.
Yeah, it will definitely tend to start that way
there will tend to be a question or sort of a hook
in there but all of it is not
it ignores all the things or avoids all the things that we tend
in like the phishing space to advise people to look out for
you know there's no talk about accounts.
There's no sort of language that is pushy
or conveying a sense of urgency.
And nor is there an amount of like,
hey, you should read this email,
like trying to make it seem important.
It does a lot to try and blend in
compared to how some of the business email compromise emails might do it.
And so there will tend to be a question or a topic in there very related to current events surrounding the Korean Peninsula.
talking about how potential changes in the Japanese majority party and elections in South Korea might affect quote-unquote policies in Northeast Asia. And so there'll be some amount
of, you know, it won't always directly say, hey, how will this affect North Korea? But you can sort
of derive that sort of intent. And so there's sort of a bifurcation of things that can happen
after that. We've seen reports, particularly out of the folks from Reuters, put out a piece, I think in 2022, where they first saw this activity that they would solicit these questions in the way you just sort of termed it collegial.
deal and they would get a response back, hey, what do you think about this topic? The victim will say,
hey, I think that X, Y, and Z policies are going to create A, B, and C outcomes.
And sometimes they'll just drop the conversation there and say, okay, I've got what I need. Cool. Thank you. We believe that some of that activity can be them getting answers to questions that their leadership has to them.
Everybody has a boss that they're answering to in this space.
And if they can get the answer without having to do complete more effort, why would you continue with the normal playbook?
with the normal playbook. We are a little bit biased in that I'll note, because we want to interdict as soon as we see, you know, contact with a North Korean intelligence operative.
So we tend to, to it on our, in our technology and then from our advisement and cut off that
communication as soon as possible so that the victim can't even respond. So we've seen reports of the sort of call and
response and then completion of that email thread. We've seen reports and observed in our data as
well sort of longer or attempted longer exchanges, especially with the victim's personal accounts.
So they will email their corporate or professional account
and CC their Gmail account, and they will continue to respond from their Gmail account.
And that can go on for months at a time without necessarily something super malicious happening.
And part of that is, I think, trust building. But also, from my view, if someone has a source that they can keep tapping
with low effort to get a good idea of what someone thinks about something, I think it's something
that they'll continue to pursue without necessarily needing to deploy malware or harvest credentials
in some manner, especially if going through that bulk of information that exists just on someone's computer is more effort
than it's worth, especially if they're getting the information directly from
the user, the voice themselves.
So it's a pretty interesting set of activity.
Definitely not the sexiest, but
definitely the most prolific group on the APT
side of things that we see in our data. Yeah. One of the things that this research that you all just
published highlights is how they've sort of upped their game a little on the email side of using
things like DMARC and some web beacons.
Can you take us through what you're seeing there?
Yeah, and on the second one of those web beacons,
it's effectively something like marketing click tracking
to see, hey, has this person opened our emails
to get an idea of how successful a given campaign has been?
And they've sort of been testing with those same things.
We haven't seen
widespread adoption,
but we think it was sort of to get an idea of
are my emails landing? Are they landing in the right
place?
It might just be as simply as
are victims opening
my emails? And not
something as
nefarious as
are they coming out of the right IP
address or is some other technology
you know clicking on effectively clicking
on these links for these people I see
the second one of these that you
mentioned was the DMARC abuse and that
was something that we first started
observing in December 2023 effectively
coming out of accounts that TA427
has compromised for a really long time. We're trying to work with the folks that are compromised
and are facilitating sending those emails. So we didn't name them in the piece because
it didn't feel like a professional move to sort of call out people
that might be not be able to um prevent those things on their own and so trying to put out as
much information as we can to say hey here's how you can protect yourself against the threat without
doing sort of like the inverse of the victim shaming sort of thing. So peeling back a little bit or stepping back a little bit,
DMARC is the thing that was getting used or abused, rather, in that second instance.
Where effectively DMARC is an authentication sort of agreed-upon protocol in the email space
where if I have my website, call it
funhats.com, I can attach a DNS
record to that that would be dmark.coolhats.com
that would then provide
the response. If you query it in, I believe, the text record,
it would tell you, hey, this has a
demarked policy of X, Y, and Z. Okay. Those policies
can then dictate, does a policy exist, yes or no?
What are sort of the parameters of those policies? And effectively, the
parameters of those policies is where we saw
spoofed entities getting abused.
If my policy record says a policy exists, but it's not enforced, or to not...
You know, during the authentication process, if someone's sending an email as coolhats.com
fails to authenticate, like that DMARC authentication fails,
a lot of policies will just say,
eh, do nothing instead of quarantine or reject it
and then tell the entity that was spoofed that they were being spoofed.
And so it's kind of a tricky thing to set up.
And there's a ton of things on YouTube
and the open internet about how to set that up. And there's a ton of things on YouTube and the open internet about how to set that up.
But it is a little bit of an intensive process. And so given that we hadn't seen as much adoption
as we would hope for or like, we're sort of in a place where we have to say, okay, well,
these entities are being abused. We can sort of try to tell them to update their DMARC records
to prevent this spoofing.
But it does allow the TA-427 in the end
to very well spoof someone like mydomaincoolhats.com.
And it does all the things, again, to what we said before,
it beats all of the measures that we tell people to look for in a phishing email
because everything in the header says it's coming from greg at coolhats.com.
There's no sort of difference between those two
unless you know how to open the email headers and inspect those and check them.
Or you're flagging for failed DMARC activity, it's not necessarily something that would bubble up without some
other technology in line to tell you, hey, this might be an imposter.
Don't engage with them or sort of proceed with caution.
And so that was sort of the main impetus for us wanting to get some information out there about this activity.
We'll be right back.
And now a message from our sponsor, Zscaler, the leader in cloud security.
a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year
increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily Zscaler Zero Trust Plus AI Thank you. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
To what degree would you label this sort of low-level espionage?
I mean, it doesn't sound like they're actively trying to infiltrate classified information.
It strikes me that this is kind of taking a temperature of what people who have professional interest in these topics may be thinking about things.
Is that a fair way to assess what's going on?
Yeah, I think definitely from what their goals are,
I think that's a fair way to assess it.
I think espionage is sort of the closest proxy.
You could also make the argument that it is sort of,
you know, there's no embassy,
North Korean embassy in Washington, D.C.
And some of this activity, you could sort of imply that it's replacing that.
I know that Jenny Tan from Stimson Center has sort of made that point.
And I tend to generally agree with it, that it's replacing diplomats and ambassadors being
on the ground and rubbing shoulders with sort of the think tank and policy folks on a day-to-day basis where you might not, you know, if you know someone who's
North Korean, you might not tell them everything, but they can still potentially attend your talk
or listen to your testimony somewhere and sort of get information that way. And so it definitely
feels very human-driven rather than than cyber-driven espionage.
It's sort of just email.
Email is just the most convenient vector for it happening.
We do see it occasionally leading to credential harvesting or malware infections, which does sort of keep it in that sort of quote-unquote cyber domain and so I think that it just
kind of blurs the line because of the
inauthentic nature of the activity and
it being you know government or state
sponsored that we continue to bucket it
as espionage but it's sort of not it not
as neat as something like you another, say another North Korean group
like TA-404, which also could be tracked as Diamond Sleet,
targeting defense contractors and trying to steal missile plans.
That sort of directly falls into the espionage thing.
We don't want that. There are all sorts of
levers that can be pulled about that.
And this is just sort of a constant stream of questions that you could very well see the regime asking through sort of a proxy.
And part of it is just telling people to not engage with potentially North Korean citizens and personnel.
But to your point, yeah, it sort of doesn't really fit
into a neat box of espionage
or sort of the non-espionage-based information gathering
that happens at embassies worldwide.
Yeah, that's interesting.
So what are your recommendations then?
I mean, in terms of strategies for folks to be aware of this, protect themselves, and
I suppose part of this is helping spread the word as well.
Yeah.
And so I think broadly, not everyone, I think, has the same risk profile that academics and people in think tanks and NGOs have for getting random emails from people that purport to know them.
At a narrow focus, if you're in the North Korean watching or think tank or NGO community, those sort of like the cyber space, know like the cyber threat intelligence threat research
spaces tend to be pretty small and so even if you don't know that person directly you probably have
a one degree or two degree of separation to ask through the grapevine to say hey did this person
actually ask me for to write a paper for them or were they asking my opinion about something or to
attend this event or was it not them and we should sort of throw the flag up and tell the rest of the
community? The tricky part with
this activity as a whole is guidelines and sort of
advice to the general public. The only real one that
comes to mind is when the sender
and the reply to address are different.
So if you click, you sort of have to do the dance of in Outlook or Gmail,
clicking reply to the email and seeing that the address that sent that email
is not the address you're sending something back to.
And then going from there to say,
okay, the thing that emailed me was coolhats.com
to overuse that example over and over again.
Right, right.
But the actual address that I'm replying to
is a Hotmail account.
Is that sort of disparate and different enough
to raise suspicion on my end.
And that, unfortunately, is just something that comes with probably being targeted by these folks before
and learning that that is something that could happen to you.
And to be honest, awareness tends to be, to your last point,
point, awareness tends to be the best way that that community has to interdicting and preventing these threats. I'm not in any of these communities, but in engaging with a couple people that are,
someone will say, hey, we'll ask someone like a Jenny Town, who's at Stimson Center. She runs
a program called 38 North that does a lot on North Korea. And we'll ask, hey, is this your email
from a free mail
provider? Is this you or is this
North Korea, for lack of a better term? She'll say,
no, I don't control that account. And then on our end, we'll do our
normal technical work. The think tank folks will then go spread the word, say, hey, be on
the lookout for this email address because it's not actually me.
Don't reply to anything. Certainly don't reply and antagonize
them. And don't provide any information over. And some of that is
I think that we just don't want anyone to be engaging with
these folks because even if we can keep a slight amount of information advantage over North Korea, most of their other cyber programs are centered around them acquiring information or currency to further their weapons program.
There's a lot of black and white in the world or a lot of shades of gray in the world right now to decide, you know, what's good and what's bad.
I think that deciding, you know, helping prevent North Korea from getting a long-range nuclear weapon
is very much a good thing to do.
Yeah, not very ambiguous.
And so it sort of becomes an easy thing for us all to sort of center around.
Right, right.
I think it's a really interesting point,
you know, that because I can imagine if I'm a policy expert and the very fact that someone
is reaching out to me, there's a certain bit of flattery that goes with that. But then also,
if it's obvious to me that this is, wearing a fake mustache and a trench coat and a hat,
that it isn't actually the person that they say they are,
I can understand being a smart person and thinking,
oh, I might string them along for a little while.
But this may be North Korea's B team, but they may bring in the A team if you aggravate them.
Absolutely.
And even though we have not used the sophisticated word yet,
I think that the level of English that they are able to use in their Word documents,
everybody sort of makes mistakes, but the level of English, the amount that sort of things they're
able to discuss, even just via email in a written format, not live and on the phone or something like that,
is impressive. And so I think that they have proven themselves pretty capable just in this
arena alone. And we sort of suspect, we do not know, but that operators from this group and potentially the other parts of the quote-unquote Kimsuki umbrella
got pulled in to a tiger team during the COVID response from North Korea.
And they were doing things that were well above the normal TTP capability we would assign them in sort of their daily operations.
And so we know that that ceiling is higher than this activity is showing us.
And so I think that that's also, to your point, a big part of keeping things calm through
those engagements and saying, hey, even though that this isn't the most malign thing that you've ever seen,
aggravating them is just not going to help anybody.
Right, right.
And they definitely do have some, I think within their repertoire,
they have some pretty capable malware families like Recon Shark,
which is an updated version of Baby Shark,
Recon Shark, which is a updated version of Baby Shark,
a Visual Basic
VBS-based
family that
it's pretty well detected
and easy to track if
you're looking at it, but it's
not something they use all the time.
They will use a lot of things like browser extensions
to steal passwords and things like that.
But
I think even with those sort of
small selection of tooling,
I think that they, because of the apparatus,
the North Korean apparatus that they're tied to,
there can be a bigger hammer to get rolled out
if it's needed.
Our thanks to Greg Lesnowich from Proofpoint for joining us.
The research is titled,
From Social Engineering to DMARC Abuse,
TA-427's Art of Information Gathering.
We'll have a link in the show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. networks. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive
producers are Jennifer Iben and Brandon Karp. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening. We'll see you back here next time.