Skip to content

North Korean Cyber Actors Exploiting Weak DMARC Policies

Cybersecurity experts along with the FBI, the U.S. Department of State, and the National Security Agency (NSA), have issued a warning about North Korean cyber actors exploiting weak DMARC (Domain-based Message Authentication, Reporting, and Conformance) security policies. This advisory, co-authored by the FBI, U.S. Department of State, and the NSA, highlights how North Korean hackers, particularly the Kimsuky group, use these vulnerabilities to conduct spear phishing campaigns.

Understanding DMARC and Its Importance

DMARC is an email security protocol that helps authenticate whether an email message comes from the domain it claims to be from. It works in conjunction with other email authentication methods such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). When properly configured, DMARC can prevent malicious actors from sending emails that appear to come from legitimate domains.

Unfortunately, many organizations either do not have DMARC policies in place or have them set to “none,” meaning no action is taken on emails that fail authentication checks. This oversight allows cyber actors like those from North Korea to spoof email domains and carry out phishing attacks.

North Korean Cyber Operations

North Korea’s cyber program is a crucial part of the regime’s intelligence and espionage efforts. The primary group involved in these activities is known as Kimsuky, which has been active since around 2012. This group operates under North Korea’s Reconnaissance General Bureau (RGB), targeting policy analysts and experts to gather intelligence on geopolitical events, foreign policies, and other areas critical to North Korean interests.

Kimsuky actors typically start with thorough research to identify high-value targets. They then use social engineering techniques to craft spear phishing emails that appear to come from trusted sources like journalists, academics, or think tanks. These emails often contain malicious links or attachments designed to compromise and gain access to the recipient’s device and networks.

Examples of Kimsuky’s Tactics

Kimsuky’s emails are meticulously crafted to appear legitimate. They often use real email addresses and domains from compromised accounts to bypass initial scrutiny. For instance, they might send an email inviting a target to speak at a conference or respond to media queries. These emails can look authentic because they may contain content lifted from previous legitimate communications.

In one example, a Kimsuky email invited a target to speak at a workshop hosted by a legitimate think tank, offering a speaker fee to entice participation. The email was sent using a legitimate university’s email domain but failed DMARC checks because the actual sender’s domain did not match the spoofed think tank’s domain.

Mitigation Measures & Action’s to Take

To protect against such threats, organizations are advised to strengthen & update their DMARC policies. The advisory recommends updating your company’s DMARC policies to either “quarantine” or “reject” emails that fail authentication checks:

Quarantine: “v=DMARC1; p=quarantine;”

This setting treats unauthenticated emails as probable spam, moving them to a quarantine folder.

Reject: “v=DMARC1; p=reject;”

This setting blocks unauthenticated emails entirely, preventing them from reaching the recipient’s inbox.

Additionally, organizations should configure DMARC to send aggregate reports on authentication results, enabling better monitoring and response to potential spoofing attempts.

Indicators of Malicious Activity

Here are some red flags to watch out for that might indicate a spear phishing attempt by North Korean actors:

  • Initial communication without malicious links, followed by messages containing harmful links or attachments.
  • Poor grammar or awkward sentence structure in emails.
  • Use of content from previous legitimate communications to add credibility.
  • Emails requesting enabling macros to view documents.
  • Persistent follow-up emails if the initial message goes unanswered.
  • Emails that appear to come from official government employees or members of the military

Reporting and Further Information

Individuals and organizations targeted by these spear phishing campaigns are urged to report incidents to the FBI’s Internet Crime Complaint Center (IC3) and include specific details about the incident. We are sharing this report for informational purposes only. All references in this report are from the official document released by the joint advisory.

Organizations must take proactive steps to strengthen their email security and educate their employees and staff to mitigate these risks.

Additional Security Recommendations

  • Review and update email security policies regularly.
  • Educate employees on how to spot signs of phishing and social engineering attacks.
  • Implement multi-factor authentication for extra security.

Domains with a DMARC score below 4 out of 5 are vulnerable to hijacking and fraudulent email activities by cyber criminals. Check your score and get more information on how to protect yourself.

Useful Links

Legal

Back To Top