Experts on nuclear security policy and weapons proliferation were contacted by suspected North Korean hackers posing as Voice of America journalists, according to a threat intelligence group, which says this is part of a recent pattern of impersonating reporters from major news organizations.
The online spies were attempting to gather intelligence about the stance of international officials toward the Pyongyang government of Kim Jong Un, according to a report issued by Mandiant, an American cybersecurity firm and subsidiary of Google.
It is the latest known attempt in recent months by the cyber-espionage group known as APT43, also referred to as “Kimsuky” or “Thallium,” posing as journalists and targeting government organizations in the United States and South Korea, as well as academics and think tank analysts.
At least seven journalists from five news organizations were impersonated by someone with APT43, Mandiant Senior Analyst Gary Freas told VOA on Wednesday.
“We have seen success in gathering sensitive information related to Korean Peninsula affairs,” such as targeted individuals answering questions about Western sentiment about North Korean activity, including nuclear proliferation and missile launches, Freas said.
In one email from Oct. 14, 2022, obtained by Mandiant, the sender, impersonating a VOA reporter, posed several questions related to North Korea’s missile and nuclear weapons testing programs, including: “Would Japan increase the defense budget and a more proactive defense policy?”
The recipient was asked to “send me your answers within 5 days.”
VOA “is aware that malevolent actors have attempted to impersonate our journalists in attempts to obtain information from third parties, including on nuclear proliferation issues,” said Nigel Gibbs, a VOA spokesperson. “It is something we are mindful of, and we take extra care to verify our identity and educate sources about potential impersonators.”
Mandiant said that in recent months it had been in contact with USAGM about the suspected North Korean operation impersonating VOA reporters.
“Trust between our journalists and their sources is imperative,” USAGM Public Affairs Director Laurie Moy said. “USAGM goes to great lengths to protect the security and integrity of our network journalists’ communications tools. We employ a number of reputation management services, including identifying impersonations and fake social media accounts and ensuring that public-facing images are verified and associated with agency resources.”
Moy continued: “We also provide robust IT system security to support safety concerns for our journalists. USAGM provides encrypted equipment, ensures multifactor authentication for systems access, and routinely monitors for vulnerabilities and external threats.”
Fake emails, claiming to be from reporters of VOA’s Korean Service, have been frequently sent to academics, officials and others requesting comment. In some cases, recipients of those emails have contacted VOA’s Seoul bureau and were informed the queries were not authentic.
“Our team has been a target of various aggressive phishing attempts, including impersonation, over the past few years,” said Dong Hyuk Lee, VOA’s Korean Service chief. “A dozen reporters on my team, including me, were targeted. As far as I can remember, we notified the agency's IT office or (USAGM) security, if needed, about every case.”
Earlier this month, Mandiant also revealed that the same hacking group distributed an attachment to an email that appeared to be from a recruiter for The New York Times.
There has been similar activity linked to Pyongyang in recent years, including a phishing scam targeting journalists in South Korea in which the sender posed as a scriptwriter for the Korean Broadcasting System seeking information about North Korea.
"State-sponsored hackers regularly target or pose as journalists,” Joseph Bodnar, a research analyst for the Alliance for Securing Democracy, told VOA. “Reporters have information and access that most people don’t have. Masquerading as a journalist can be an easy way for hackers to gain and exploit a target’s trust.”
Proofpoint, a cybersecurity firm, issued a report last year detailing efforts by state-sponsored hackers in North Korea, as well as China, Iran and Turkey, to spy on or impersonate mostly U.S.-based journalists.
“These hackers can be sloppy, sending messages with incorrect grammar or misspelled words,” Bodnar said. “Google searches could reveal that the reporter they’re posing as doesn’t exist or uses a different email address. There are basic cybersecurity practices that can help people defend against this threat."
At the State Department on Wednesday, principal deputy spokesperson Vedant Patel said that while he couldn’t address the specific events involving the impersonation of New York Times and VOA personnel, “of course the DPRK is known for taking a number of destabilizing and malign steps. This is something we are being vigilant about.”
DPRK refers to the Democratic People’s Republic of Korea, the official name of North Korea.
North Korea “often leverages nation-state malicious cyber actors to generate revenue for the regime while evading sanctions,” the U.S. Cyber National Mission Force’s Major Katrina Cheesman told VOA. “The DPRK cyber actors do this through a range of illicit means, such as cryptocurrency theft, money-laundering, ransomware and fraudulent activities of DPRK IT workers abroad.”
The Kimsuky APT group has most likely been operating since 2012, according to the U.S. Cybersecurity and Infrastructure Security Agency. It is primarily focused on carrying out financially motivated cybercrime to support the North Korean government, according to intelligence analysts.
During the coronavirus pandemic, attention shifted to pharmaceutical and other health-related companies. Other related activities APT43 is alleged to be involved with include registering web domains meant to look like legitimate websites, including one for Cornell University, an Ivy League school. The group has also used malicious apps to steal usernames and passwords and to generate cryptocurrency.
“APT43 is exceptionally good at convincing its targets,” Freas, the Mandiant analyst, said. “We've seen APT43 create email addresses that look similar to news reporters, or analysts at think tanks, and simultaneously spin up fake domains that also look similar to the real news outlet they are spoofing. They'll add these to their email signatures so even if the victim grows suspicious and visits APT43's hosted domain, it has the look and feel of a real news site.”