North Korean hackers employ a distinctive strategy to monitor foreign experts

It appeared to be business as usual when Daniel DePetris, a foreign policy expert based in the US, got an email in October from the director of the 38 North think group ordering an essay.
Not at all.
According to people involved and three cybersecurity experts, the sender was really a suspected North Korean spy looking for information.
By purporting to be 38 North director Jenny Town, the sender looked to be attempting to elicit his opinions on North Korean security concerns rather than infecting his computer and stealing critical information, as hackers normally do.
When I followed up with the individual and learned that there had been no request made and that this person had also been targeted, I understood it wasn’t real, DePetris said Reuters, referring to Town. “So I immediately saw that this was a widespread effort,”
According to five targeted people, cybersecurity experts, emails seen by Reuters, and a suspected North Korean hacker outfit, the email is a part of a fresh, previously unknown effort.
The hacker collective, known by researchers as Thallium or Kimsuky among other names, has long employed “spear-phishing” emails to deceive recipients into opening malicious files or links or divulging passwords. However, it now also seems to be asking for the thoughts or reports of researchers or other specialists.
Other topics discussed, according to emails seen by Reuters, including China’s response in the case of a future nuclear test and if a “quieter” approach to North Korean “aggressive” could be necessary.
According to James Elliott of the Microsoft Threat Intelligence Center (MSTIC), “the attackers are having a tonne of success with this very, very easy way,” who also noted that the new strategy initially surfaced in January. The technique has been entirely altered by the attackers.
According to MSTIC, “many” North Korean specialists who have sent details to a Thallium attacker account have been found.
According to the cybersecurity researchers, the specialists and analysts targeted by the operation have a significant impact on how foreign governments and the general public see North Korea.
Thallium has been active since 2012, according to a 2020 assessment by US government cybersecurity organisations, and “is most likely assigned by the North Korean dictatorship with a global intelligence collecting objective.”
According to Microsoft, Thallium has historically targeted government workers, think tanks, academia, and human rights organisations.
According to Elliot, “The attackers are getting the knowledge straight from the expert, if you will, and they don’t have to sit there and create interpretations because they’re getting it.”
NEW TACTICS
North Korean hackers are notorious for assaults that netted millions of dollars, for attacking Sony Pictures because of a movie that was seen to be derogatory to its leader, and for obtaining data from defence and pharmaceutical firms, foreign governments, and other organisations.
Although it has previously denied being involved in cybercrime, the North Korean embassy in London did not reply to a request for comment.
According to Saher Naumaan, chief threat intelligence analyst at BAE Systems Applied Intelligence, in prior attacks, Thallium and other hackers have spent weeks or months earning the trust of a target before distributing dangerous malware.
Microsoft claims that despite the victims’ responses, the group now occasionally converses with specialists without ever transmitting any dangerous files or links.
Bypassing conventional technological security programmes that would scan and identify a message with harmful components, this method can be quicker than stealing someone’s account and searching through their emails. It also gives the spies direct access to the experts’ thoughts, according to Elliot.
It’s extremely, incredibly difficult for us to block these emails as defenders,” he added, adding that most of the time it depends on the receiver being able to decipher it.
Town said that several emails claiming to be from her replicated her whole signature line but used an email address that ended in “.live” rather than her official account, which finishes in “.org.”
She said that in one instance, she was a part of an odd email conversation in which the alleged assailant included her in a reply while acting as her.
The emails he has received, according to DePetris, a fellow with Defense Priorities and a columnist for a number of publications, were written as if a researcher were requesting a paper submission or comments on a draught.
They were pretty skilled, he claimed, adding think tank logos to the letter to give the impression that the investigation is real.
Three weeks or so after receiving the phoney email from 38 North, a different hacker impersonating him sent emails to additional persons asking them to review a draught, according to DePetris.
The email, which DePetris sent to Reuters, requests suggestions for other potential reviewers and offers $300 for evaluating a book regarding North Korea’s nuclear development. Elliott said that the hackers had no intention of ever paying anyone for their work or comments.