HQ/EMEAFind out how we can help your business
The NSA and the FBI have issued a joint warning, citing concerns about North Korean hackers connected to APT43 taking advantage of weak email DMARC (Domain-based Message Authentication Reporting and Conformance) policies. This hacker organisation has been using sophisticated strategies to carry out spearphishing attacks and is believed to be connected to North Korea’s Reconnaissance General Bureau (RGB).
APT43 uses improperly configured DMARC policies as part of its operational strategy for spearphishing attacks. The purpose of these campaigns is to trick receivers by sending fake emails that seem to come from reliable sources, including academics and journalists, especially those with an interest in East Asian matters.
Moreover, the gang seeks to penetrate the networks of its targeted organisations—which include think tanks, research centres, academic institutions, and media organisations in the US, Europe, Japan, and South Korea—by taking advantage of the trust that these sources are associated with.
Gathering intelligence on geopolitical developments, enemy foreign policy tactics, and any information relevant to North Korea’s objectives is the main goal of these hacks. APT43 aims to promote its national intelligence objectives by providing the North Korean dictatorship with important geopolitical insights through unauthorised access to its targets’ private documents, research materials, and communications.
APT43’s spearphishing attacks highlight advanced social engineering amidst concerns over weak DMARC policies.
It is also concerning to discover that APT43 agents have been posing as professors and journalists in order to increase the legitimacy of their spearphishing campaigns. With the ability to design more persuasive emails and raise the possibility of successful compromises, this method highlights the group’s advanced approach to social engineering.
The FBI, US Department of State, and NSA have advised mitigating steps centred around revising DMARC security regulations in order to counter this growing cyber danger. To improve email authentication, organisations should implement setups like “v=DMARC1; p=quarantine;” or “v=DMARC1; p=reject;”. By placing emails that fail DMARC tests in quarantine or rejecting them outright, these configurations try to prevent APT43 from using fake emails to penetrate target networks.
Apart from configuring the ‘p’ field in DMARC policy, entities are recommended to include additional DMARC policy fields, including ‘rua,’ to obtain comprehensive reports regarding DMARC outcomes for emails allegedly originating from their domain. Organisations may successfully reduce the danger posed by APT43 and other hostile actors looking to take advantage of vulnerable email policy for malicious intentions by strengthening their email security infrastructure in this way.
The increasing sophistication and extent of cyber threats demand that organisations be vigilant and take proactive measures to safeguard their digital assets from unforeseen attacks. Further, businesses and organisations can successfully reduce the risks posed by cyber adversaries like APT43 by putting strong cybersecurity measures in place and keeping up to date on evolving threats.
