Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Email Security

US Says North Korean Hackers Exploiting Weak DMARC Settings 

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

North Korea

The North Korea-linked hacking group tracked as Kimsuky has been exploiting weak email Domain-based Message Authentication, Reporting and Conformance (DMARC) settings to conceal spear phishing attacks, the US government warns.

Crafted DMARC policies have allowed Kimsuky to spoof email messages and pose as legitimate academics, journalists, and experts in Eastern Asian affairs, according to an alert from the FBI, the NSA, and the US Department of State.

“North Korea leverages these spear phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications,” the agencies said.

As part of its cyber program, North Korea is engaging in sustained intelligence-gathering efforts through the Reconnaissance General Bureau (RGB), its premier military intelligence organization. These efforts are focused on maintaining access to intelligence about the US, South Korea, and other countries perceived as political, military, or economic threats to North Korea.

A subdivision of RGB and sanctioned by the US, Kimsuky has been engaging in cyber activities since 2012, and has been responsible for large-scale social engineering campaigns, providing stolen data and valuable geopolitical insight to the Pyongyang regime through the compromise of policy analysts and other experts.

“Successful compromises further enable Kimsuky actors to craft more credible and effective spear phishing emails, which can then be leveraged against more sensitive, higher-value targets,” the US government added.

The agencies said the threat actor conducts well-researched and prepared spear phishing campaigns that may use content from previously compromised email accounts or may leverage fake usernames impersonating individuals from trusted organizations such as education institutions and think tanks.

Spoofed emails are sent from an actor-controlled email address and domain, but the exploitation of improperly configured DMARC policies, which are meant to ensure that emails have been sent from an organization’s legitimate domain, help the adversary deceive their targets.

Advertisement. Scroll to continue reading.

Individuals associated with Kimsuky-targeted industries are advised to be wary of links and attachments received via email, of content recovered from conversations with other contacts, messages containing incorrect grammar, and communication targeting individuals with direct or indirect knowledge of policy information.

Furthermore, spoofed email accounts, documents that request the user to enable macros, follow-up emails if the recipient did not respond to the initial message, and emails claiming to be from official sources but coming from unofficial email services should also be considered suspicious.

The US government’s alert, which provides sample spear phishing email messages from the North Korean threat actor, also contains recommended mitigations that organizations should implement to prevent the successful delivery of spoofed emails to the intended victims’ inboxes.

Editor’s note: Kimsuky is publicly tracked as APT43, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, THALLIUM, Thallium, and Velvet Chollima.

Related: South Korea Says Hackers Breached Personal Emails of Presidential Staffer

Related: UN Experts Investigating Suspected Billion-Dollar North Korean Cyberattacks

Related: North Korean Hackers Developing Malware in Dlang Programming Language

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights