Mandiant is warning that a newly-named North Korean espionage group, APT43, is undertaking widespread cryptocurrency theft to fund its operations.
The company has formally “graduated” the threat actors to a named group, having observed its activity since 2018.
Graduation means Mandiant is sufficiently confident in its assessment to associate the activities it observes to a defined group of actors, and APT43 is “our first official graduation since Mandiant announced APT42 in September 2022,” the company said.
In a new report, Mandiant gives the attribution that convinced it to graduate APT43.
“We assess with high confidence that APT43 is a state-sponsored cyber operator that acts in support of the North Korean government’s wider geopolitical aims”, the company wrote.
APT43’s aim, Mandiant said, is to use cyber crime to fund its ability to conduct espionage and collect strategic intelligence.
“Their most frequently observed operations are spear-phishing campaigns supported by spoofed domains and email addresses as part of their social engineering tactics. Domains
masquerading as legitimate sites are used in credential harvesting operations”, the report said.
It mostly attacks South Korean and USA targets.
In a podcast published alongside the report, Mandiant’s DPRK Operations specialist Michael Barnhart explained that APT43’s “bread and butter” is getting information about international responses to North Korea’s weapons program.
“This is a group that cares only about nukes and foreign policy,” he said.
While it attacks government, business and manufacturing targets, the targets of most interest are organisations like education, research or think tank groups focussing on geopolitical and nuclear policy.
Mandiant cited the case of Jenny Town, director of North Korea-focussed intelligence publication 38 North, who APT43 impersonated to learn about possible targets in the analyst community.
Cryptocurrency crimes
Its chief source of funding for espionage is to steal and launder cryptocurrency. The theft relies on credential collection, Mandiant said.
For example, it created a malicious Android app to target “most likely Chinese users” seeking cryptocurrency loans.
“The app and an associated domain probably harvested credentials”, Mandiant explained.
It also uses a wide variety of malware variants.
Its best-known activity is based on LATEOP, “a backdoor based on VisualBasic scripts”, but the group has been seen using h0st RAT, QUASARRAT, and AMADE, the report stated.
It has developed some of its own multiplatform tools, including one dubbed PENCILDOWN, an Android variant of a Windows downloader.
“Dirty cryptocurrency” is easy to launder, the report explained: APT43 uses the stolen funds to buy hash rental and cloud mining services, yielding cryptocurrency that isn’t associated with APT43’s original payments.
