North Korean spies turn the tables on watchdogs

A suspected North Korean espionage group has been spotted going after journalists and security pros who take an interest in the ostracized country – ironically by pretending to offer intelligence on a rival threat actor from the same nation.

Known alternately as ScarCruft and InkySquid, the group has been spotted by cybersecurity analyst SentinelLabs targeting its would-be hunters with malware.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” said SentinelLabs.

The cybersecurity analyst believes the North Korean protagonist “remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies.”

The most notable lure used by ScarCruft involves posing as a cybersecurity researcher offering intelligence on Kimsuky – another suspected North Korean threat group that has been on the radar of experts for some time.

“In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document,” said SentinelLabs.

It further believes that Kimsuky and ScarCruft are sharing infrastructure and tools such as command and control servers, suggesting there could also be collusion between the two in this latest campaign of deception.

Hunters become the hunted

SentinelLabs warns that the hunters could end up becoming the hunted if they do not exercise due caution when approached with what seems to be useful information on either of the groups.

“Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals,” it said.

Part of the lure involves using phishing emails purporting to be from legitimate groups such as the “North Korea Research Institute.” Cybernews conducted a Google search of this name but could not find an exact match – however, SentinelLabs explained this was a machine translation of the authentic Institute for North Korean Studies, as written in Korean-language social messages sent by ScarCruft that it scrutinized.

This veneer of legitimacy is, of course, designed to make the infected emails more enticing, encouraging researchers and journalists to click on them.

Screenshot of phishing email in North Korean
Phishing email sent in Korean, purporting to offer intelligence on a cyberattack - in fact a ploy designed to lure unwary journalists and researchers into downloading malware

SentinelLabs believes the malware once an unwary victim has been infected with it – is most likely for espionage purposes, or "to gather strategic intelligence," allowing ScarCruft to spy on the very entities trying to keep tabs on it.

“By targeting high-profile experts in North Korean affairs and news organizations focused on North Korea, ScarCruft continues to fulfill its primary objective of gathering strategic intelligence,” said SentinelLabs. “This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea.”

SentinelLabs believes this intelligence is being relayed back to Pyongyang, where it will play a part in the country’s “decision-making processes” – though such claims are nearly impossible to verify given the lack of dialog between North Korea and its antagonists.

“ScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies,” it added. “This helps in identifying potential threats to their operations and contributes to refining their operational and evasive approaches.”

More from Cybernews:

Apple Vision Pro pre-orders top 160K, say experts

Columbus healthcare provider: we were hacked​

TikTok owner introduces LEGO language model, OpenAI not happy

Microsoft suffers Russian fueled nation-state attack

DPD chatbot goes out of control

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked