A group of alleged cybercriminals has been using several techniques to target U.S. companies and government agencies on behalf of the North Korean government, according to experts.
Cyber intelligence analysts at Google have identified what is known as an "advance persistent threat" (APT), or a group of bad actors who have been connected to potentially criminal activity online.
Designated as "APT43" in a new report from Google Cloud's cyber intelligence arm Mandiant, the group is believed to be supporting -- and possibility affiliated with -- North Korea's primary foreign intelligence service through espionage targeted at foreign government agencies, private companies and educational institutions around the world.
"Although the overall targeting reach is broad, the ultimate aim of campaigns is most likely centered around enabling North Korea's weapons program, including: collecting information about international negotiations, sanctions policy, and other country's foreign relations and domestic politics as these may affect North Korea's nuclear ambitions," the report found.
Analysts have observed a flurry of activity from APT43 going back to 2018 with efforts focused on spear-phishing campaigns that aim to harvest private user information. This approach involves "social engineering" in which the bad actor engages and attempts to develop a rapport with real people in an attempt to solicit valuable information.
In one case, APT43 was observed attempting to establish a relationship with a potential victim by impersonating a journalist with an email titled "Request for comments" and questions about geopolitical responses to North Korean military expansion.
To support these efforts, the report found the group engages in stealing and laundering cryptocurrency. Once the currency is stolen -- typically by harvesting private online user information -- the group was observed laundering the assets through websites that generate new forms of crypto for a fee. That process effectively removes the open source connection to the original payment, experts said.
"Put another way, imagine you stole millions of dollars in gold, and while everyone is looking for stolen gold, you pay silver miners with stolen gold to excavate silver for you," Mandiant Principal Analyst Michael Barnhart said. "Similarly, APT43 deposits stolen cryptocurrency into various cloud mining services to mine for a different cryptocurrency. For a small fee, DPRK walks away with untracked, clean currency to do as they wish."
Mandiant's newly released report is in line with strategies established by the Biden administration's top cybersecurity officials to encourage information sharing about cyber threats.
One app that could pose a cyberthreat, according a very senior official, is TikTok. Cybersecurity and Infrastructure Security Agency Director Jennifer Easterly told lawmakers Tuesday she supports banning the Chinese-owned social media giant, which has seized on short-form video-sharing on a massive scale, calling anything of its kind a "huge, huge risk."
"I think we need to be really, really mindful of not just TikTok -- That's an important and prominent issue … [but] it's all sorts of Chinese technology that's in our critical infrastructure supply chain. We need to be very concerned about that. And then frankly, from a strategic level, we need to be very concerned," she said.
Despite the prevalence of the threat, Easterly expressed doubt about whether a full ban would be possible in the United States. Virtual private networks and other cyber tools can be used to change and scramble geolocation data on the open internet, making a U.S. ban difficult, experts say.
CISA, one of the leading agencies working to establish cybersecurity reporting norms and standards, will work to help victims of cybercrime and strengthen vulnerable institutions, Easterly vowed.
"We are not here to name to shame to stab the wounded," she said. "We are here to render assistance and then to use that data very importantly, to protect the rest of the ecosystem. If you're in a neighborhood and your neighbor gets robbed, I want to know that so you can actually lock your doors and put your guard dog out. It's important for our collective defense. We are facing some very, very serious threats to our nation to our critical infrastructure."
The director said CISA is working to improve its own "visibility into the overall ecosystem" of cyberattacks while acknowledging the agency's limitations. Easterly referenced her time in the private sector where the "return on investment was things not happening."
"So you know at a broad level, bad things not happening is hard to -- hard to measure," Easterly said. "So what we want to do is get more granular with the visibility what we've gotten out of that [budget] to say this is how we've reduced the incidence of bad things happening."
However, cybersecurity authorities -- and Easterly herself -- have raised alarms about the daily onslaught of cyberattacks from outside the U.S. As part of efforts to counter these threats, CISA puts out cybersecurity road maps to help government and industry reduce risks, including by providing security consultants that offer direct assistance to state and local government bodies.
Rep. Andy Harris, R-Md., pressed Easterly on whether CISA would have had any involvement with suppressing stories about the laptop belonging to President Joe Biden's son Hunter. The director swiftly dismissed the assertion, noting she wasn't in the job at the time and outlining the disinformation work the agency should do to support local governments.
"What I want to talk about is what our actual mission what we're doing for state and local election officials who have asked for our help in dealing with foreign influence and disinformation operations," Easterly said. "And that is to support them in amplifying their trusted voices and providing them what they need to be able to ensure that the American people have confidence in the integrity of their elections. And this is not a partisan issue, sir."