Go to listing page

Researchers Expose New North Korean Hacker Group, APT43

Researchers Expose New North Korean Hacker Group, APT43
Despite the already existing numerous threat actors in the threat ecosystem, researchers have discovered a new one, tracked as APT43 by Mandiant. The group has targeted government entities, think tanks, and academics in the U.S., Japan, and South Korea.

Diving into details

According to researchers, the North Korean APT group is following in the footsteps of other North Korean APTs by operating independently of state funding.
  • APT43 uses legitimate cloud-mining services to launder the stolen cryptocurrency to make it difficult to trace, a tactic that has gone unnoticed until now.
  • Furthermore, ​​despite lacking technological sophistication, the gang employs persistent social engineering tactics, creating fake personas and establishing relationships with targets over several weeks without using malware.

Attribution

  • APT43 leverages its own set of custom malware, such as Pencildown, Venombite, Pendown, Laptop, Hangman backdoor, and others, not used by other attackers.
  • It has been recorded using publicly-available tools such as QuasarRAT, Amadey, and gh0st RAT.
  • However, researchers have previously attributed APT43 activity to Kimsuky or Thalium. 
  • During the COVID-19 pandemic, APT43 was observed using malware that was also utilized by the Lazarus hacking group.
  • The group also used the Lonejogger crypto-stealer associated with the UNC1069, a threat actor likely connected to APT38.

Why it matters

  • APT43 changesTTPs and malware according to North Korean government demands, carrying out financially-motivated cybercrime to support the regime, says Mandiant. 
  • The group shifted to COVID-19 response efforts and recently expanded to target everyday users to make its activity less noticeable. 
  • It targets entities in government, business services, manufacturing, think tanks, and education and research related to geopolitical and nuclear policy in the U.S., South Korea, and Japan.

The bottom line

Organizations that may be at risk from APT43 are advised to educate their employees, given the group's advanced social-engineering tactics and tendency to target specific individuals and broader targets. Mandiant anticipates that APT43 will remain a highly active threat group unless North Korea changes its national priorities.
Cyware Publisher

Publisher

Cyware