North Korean hackers crack DMARC to spoof emails from trusted sources

A laptop showing lots of email notifications
(Image credit: Shutterstock)

North Korean state-sponsored threat actors are abusing misconfigurations in DMARC to send convincing phishing emails and gather vital intelligence from Western targets, officials have warned.

A new joint advisory published by the US National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State outlines how the hacking collective known as Kimsuky, which is believed to be strongly tied to Lazarus Group, and thus, with the North Korean government, has been spotted abusing improperly configured DMARC record policies to make it seem as if the emails are coming from legitimate sources.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance, and is described as an email authentication protocol that helps prevent email spoofing, phishing, and other fraudulent activities. DMARC works by allowing senders to authenticate their messages via cryptographic signatures, and establishing how recipients should handle messages that fail the authentication.

Grabbing intelligence

The three agencies said Kimsuky’s goal is to “collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets' private documents, research, and communications.”

To make sure the victim responds to the phishing email, and shares the information they are looking for, the hackers will diligently prepare. They will thoroughly research their target, and either create fake identities, or impersonate other people, when reaching out. When stealing other people’s identities, they will mostly impersonate journalists, academics, or other experts in East Asian affairs “with credible links to North Korean policy circles,” it was said. 

Citing an earlier Proofpoint report, TheHackerNews said this technique was first observed in December last year, when Kimsuky engaged in a “broader effort” to target foreign policy experts for their opinions on nuclear disarmament, among other things. Kimsuky is described as a “savvy social engineering expert”, the publication concluded. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.