North Korean threat actors are exploiting weak email policies to spoof legitimate domains during espionage phishing campaigns, a new US government advisory has warned.
The FBI, the US Department of State and the National Security Agency (NSA) said North Korea-linked Kimsuky group is exploiting poorly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols to pose as legitimate journalists, academics or other experts in East Asian affairs with credible links to North Korean policy circles.
The threat actors attempt to access private documents, research and communications of policy analysts and other experts through these spearphishing attacks.
These social engineering campaigns are designed to provide the Pyongyang regime with intelligence on geopolitical events and foreign policy strategies in countries perceived to be a political, military, or economic threat, such as the US and South Korea, the agencies noted.
Poorly Configured DMARC Protocols Exploited
The advisory said that Kimsuky spearphishing campaigns are highly targeted, using broad research and preparation to create tailored online personas.
To make the personas appear more legitimate to targets, Kimsuky actors have been observed creating fake usernames and using legitimate domain names to impersonate individuals from trusted organizations, including think tanks and higher education institutions.
These emails will be delivered to the recipient’s inbox if the organization has not securely configured their DMARC policies.
DMARC protocols tell a receiving email server what to do with the email after checking a domain’s Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records.
Depending on whether the email passes or fails SPF and DKIM, it will be marked as spam, blocked or delivered to an intended recipient’s inbox.
This is designed to enable email domain owners to protect their domain from unauthorized use.
However, emails sent from the North Korean threat actors have been observed overcoming weak and overly permissive, rather than specifically defined, DMARC policies.
In one example noted in the report, the DMARC policy was set in which no email filtering action is taken on the message, even when it failed DMARC verification. This allowed the email to be delivered to the recipient’s inbox.
In a second example, a Kimsuky cyber actor posing as a legitimate journalist and seeking comment from an expert on North Korea issues, exploited the absence of a DMARC policy that would have authenticated the sending email address against the SPF check.
How to Mitigate Kimsuky Phishing Tactics
The US federal agencies issued the following recommendations to organizations to enhance the security of DMARC policies in light of Kimsuky’s spearphishing tactics.
- Update your DMARC policy to either “v=DMARC1; p=quarantine;” or “v=DMARC1; p=reject;” to signal to email servers to consider unauthenticated emails as spam
- Set other DMARC policy fields, such as “rua” to receive aggregate reports about the DMARC results for email messages purportedly from the organization’s domain
Additionally, they set out suspicious indicators of malicious North Korea phishing emails for potential targets should look out for:
- Innocuous initial communication with no malicious links/attachments, followed by communications containing malicious links/documents, potentially from a different, seemingly legitimate, email address
- Email content that may include real text of messages recovered from previous victim engagement with other legitimate contacts
- Emails in English that have awkward sentence structure and/or incorrect grammar
- Emails or communications targeting victims with either direct or indirect knowledge of policy information, including US and South Korea government employees/officials working on North Korea, Asia, China, and/or Southeast Asia matters; US and South Korea government employees with high clearance levels; and members of the military
- Email accounts that are spoofed with subtle incorrect misspellings of legitimate names and email addresses listed in a university directory or an official website
- Malicious documents that require the user to click “Enable Macros” to view the document
- Follow-up emails within 2-3 days of initial contact if the target does not respond to the initial spearphishing email
- Emails purporting to be from official sources but sent using unofficial email services, identifiable through the email header information being a slightly incorrect version of an organization’s domain