Almost like James Bond: Proofpoint, Inc. has published an in-depth analysis of the activities of a group of cyber criminals. It is TA406 (Threat Actor 406), a group that is believed to have very close ties to the North Korean regime. In the past, TA406 was mainly involved in espionage, but in 2021 it added other criminal tactics such as sex torsion to its attack portfolio. The group designated by Proofpoint as the TA406 is often referred to as the Kimsuky, Thallium, and Konni Group in public.
Usually little is known about cybercriminal groups (threat actors), detailed analyzes and procedures are often subject to confidentiality in order to keep these groups in the dark as possible about what security companies and investigative authorities already know about them. Now Proofpoint has made an exception and published a detailed analysis of TA406. The US cybersecurity company found that TA406 is involved in three branches of criminal activity: fraud, espionage and theft. In addition to its members, North Korean state institutions in particular are likely to benefit from the group’s criminal success.
Proofpoint has been monitoring the group since 2018. Its focus is on the theft of credentials for solutions and systems in educational institutions, government agencies, media and other organizations.
Similar to the group called “Lazarus”, the name “Kimsuky” has developed into a collective term for a variety of activities. The insights into the behavior and patterns of the attacks allow Proofpoint to further divide Kimsuky into three different groups of threat actors (TA406, TA408 and TA427) and several unidentified actors.
Until recently, the TA406 campaigns tended to be of low volume, i.e. the number of fraudulent e-mails was rather low. In addition, the group does not typically use malware in campaigns. However, in two campaigns in 2021 attributed to this group, they attempted to spread malware that can be used to gather information. In addition, from January to June 2021, Proofpoint monitored almost weekly campaigns by TA406 targeting foreign policy experts, journalists and non-governmental organizations (NGOs).
Proofpoint anticipates that this threat actor will continue to frequently perform corporate credentials theft. The main target is institutions that are of interest to the North Korean government.
The detailed analysis shows how the criminals work, which tools, techniques and technologies they use, the distribution of the attacks over time and much more.