North Korean Actors Exploit Weak DMARC Security Policies

North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts

Summary

Authors: FBI, U.S. Department of State, NSA.

Focus: North Korean Kimsuky cyber actors exploit improperly configured DMARC (Domain-based Message Authentication, Reporting, and Conformance) policies to conduct spearphishing campaigns.

Objective: Highlighting the techniques used by these actors to mask their social engineering attempts and offering mitigation measures.

Background

North Korean Cyber Program: Managed by the Reconnaissance General Bureau (RGB), which is responsible for intelligence collection and cyber espionage.

Kimsuky Group: Known aliases include Emerald Sleet, APT43, Velvet Chollima, and Black Banshee. Their mission is to gather geopolitical intelligence through compromised data and use it to enhance spearphishing campaigns.

Kimsuky’s Operations: DMARC Policy Not Enabled

DMARC Protocol: Helps authenticate emails sent from an organization’s domain. If not properly configured, it allows cyber actors to send spoofed emails that appear legitimate.

Technique: Kimsuky actors leverage social engineering by creating convincing email messages and personas, often impersonating journalists, academics, or experts.

Red Flag Indicators

Common Indicators:

  • Initial communications are innocuous, followed by malicious links/documents.
  • Content may include text from previous victim communications.
  • Emails have awkward grammar and sentence structure.
  • Targeted at individuals with knowledge of policy information.
  • Spoofed email addresses with slight misspellings.
  • Malicious documents require enabling macros.
  • Follow-up emails within a few days if no response.

Sample Emails and Headers

Examples:

Sample Email 1: Invitation to speak at a conference, offering a speaker fee.

Sample Email 2: Request for an interview on North Korean issues, with a diversion to a fake personal account for responses.

Headers: Illustrate how technical analysis can identify spoofing and failed DMARC checks.

Mitigation Measures

Recommendations:

  • DMARC Policy:
    • Set to “quarantine” (v=DMARC1; p=quarantine;).
    • Set to “reject” (v=DMARC1; p=reject;).
  • Reporting: Use “rua” to receive aggregate reports on DMARC results.

Tables and Graphics

Table: Summary of Key Points

Section Key Points
Summary FBI, State, NSA highlight DMARC exploitation by Kimsuky cyber actors.
Background North Korean RGB oversees cyber operations. Kimsuky group targets geopolitical intelligence.
DMARC Policy Not Enabled Improper DMARC configurations allow spoofed emails.
Red Flag Indicators Indicators of spearphishing include awkward grammar, targeted policy experts, and follow-up emails.
Sample Emails and Headers Examples of spearphishing emails and how to identify spoofed email headers.
Mitigation Measures Recommended DMARC policies: quarantine or reject. Use "rua" for aggregate reports.

Graphic: DMARC Policy Configuration

DMARC Policy

  • "v=DMARC1; p=quarantine;"
    • Quarantines emails failing DMARC check
  • "v=DMARC1; p=reject;"
    • Rejects emails failing DMARC check
  • "rua"
    • Aggregate reports for DMARC results

Graphic: Red Flag Indicators

Red Flag Indicators

  • Innocuous initial communication
  • Awkward grammar and sentence structure
  • Emails targeting policy experts
  • Spoofed email addresses with slight errors
  • Malicious documents requiring macros
  • Follow-up emails within a few days