UPDATED 05:00 EST / NOVEMBER 18 2021

SECURITY

North Korean cybercriminal group ‘TA406’ escalates attacks through 2021

A new report from security researchers at Proofpoint Inc. details a North Korean-aligned threat actor undertaking attacks that have escalated through 2021.

Dubbed TA406, the threat actor is associated with the Kimsuky threat actor group, referred to by some as Thallium and Konni Group but a unique entity in its own right. The group undertakes various nefarious activities, including espionage, cybercrime and sextortion, focusing on targeting research, education, government, media and other organizations.

TA406 was first identified in 2018, but the threat actor’s campaigns remained low in volume until January. From January through to June, TA406 expanded its activity with almost weekly campaigns targeting foreign policy experts, journalists and nongovernmental organizations.

The group itself only sometimes uses malware and primarily targets potential victims through spear-phishing campaigns, which are targeted attempts to persuade people they’re providing information to someone they know. TA406, along with related groups TA408 and TA427, have one thing in common: The attacks are usually launched between 9 a.m. and 5 p.m. North Korean time, with a few exceptions. They also seemingly take a break for lunch.

TA406 targets primarily reside in North America, China and Russia. The group frequently masquerades as Russian diplomats and academics, Ministry of Foreign Affairs representatives, human rights officials or Korean individuals.

Although espionage is a motivating factor in some attacks, the group has also targeted individuals and organizations related to cryptocurrency for financial gain.

Some of the tactics used by TA406 are also interesting. The phishing aspects with either dubious attachments or fake login pages have been seen among many groups before, but TA406 takes the spear-phishing to the next level by creating fake LinkedIn accounts. In one case, there was a fake persona under the name of “Tomas Jimy” complete with the claim that Jimy was a researcher with Stanford University.

TA406 is usually predictable in the type of people it targets, but there are some exceptions. One campaign this year had drastically different targeting than normal for unknown reasons. The campaign occurred around the same time as the March 2021 North Korean missile tests and targeted several organizations and individuals not previously observed as targets for TA406.

The recipients of that campaign included some of the highest-ranking elected officials of several different governmental institutions, an employee at a consulting firm, government institutions related to defense, law enforcement, and economy and finance, plus generic mailboxes for board and customer relations at a large financial institution.

The report itself goes into much deeper details about the tools and methodology used by the group. The Proofpoint researchers conclude that TA406 will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government.

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.