Details of a secret North Korean cyber hit list are spreading in Washington, with a widening slate of high-level current and former U.S. intelligence officials, media executives and national security scholars finding themselves in the hackers’ crosshairs.
The Biden administration is scrambling to respond.
The FBI, the National Security Agency and the State Department are preparing a new cyber strategy to specifically counter what officials describe as a sophisticated North Korean “spear phishing” threat. The administration remains tight-lipped about the effort, although sources familiar with it say the strategy will be made public in the coming days.
In interviews with more than a dozen current and former national security officials, The Washington Times learned that a core aspect of the threat involves hackers tied to North Korean intelligence using bogus email accounts to impersonate U.S. officials.
While the fake accounts are initially used to spur conversations with high-level policy experts, sources told The Times that the hackers are likely engaged in a more sinister campaign to burrow deep inside the computer networks of companies and institutions intimately engaged in national security.
The cybersecurity firm Mandiant has been involved in identifying the nature of the threat, as has the firm’s parent company, Google.
SEE ALSO: GOP hopefuls hit Trump for congratulating Kim Jong-un over WHO seat
Sources at Mandiant who are familiar with the cyber campaign say it is being carried out by the North Korean hacking group APT43, an apparatus of North Korean intelligence.
Others interviewed by The Times said the attackers are after officials with sensitive knowledge of security policymaking and nuclear proliferation.
Joseph DeTrani, a former CIA official and longtime diplomat who represented the U.S. in talks with the North Koreans, said he learned in recent months that the hackers had targeted and impersonated him — using a fabricated email address very similar to his to send queries to a range of people in his contact lists.
“Most likely this is not only about trying to trick U.S. analysts and experts into revealing their thinking and assessments on North Korea,” Mr. DeTrani said. “The cyber operation is also about trying to penetrate clandestinely into sensitive computer systems.”
Such penetration would likely depend on hackers’ ability to persuade targets to click on malware links embedded in emails, although the extent to which that may have occurred as part of the ongoing North Korean campaign is not clear.
Bruce Klingner, a former high-level CIA official in Korea now with The Heritage Foundation, said it has been understood for years that a hacker group known as “Kimsuky” operates as part of a global intelligence gathering mission for the isolated regime of North Korean leader Kim Jong Un, which has traditional information-collecting footprints in only a handful of countries around the world.
SEE ALSO: South Korea, Japan hit panic buttons even as North Korean launch fizzles
He told The Times that he has been targeted by bogus North Korean phishing emails at least eight times in recent years.
“The speculation would be that they think getting access to our email accounts is useful either to understand our analysis views or maybe to glean emails to and from government officials … perhaps toward the goal of targeting government systems,” Mr. Klingner said.
One of the sources who spoke with The Times said the North Korean campaign has grown so prevalent in recent months that FBI, NSA and State Department officials invited policy experts outside the government to attend a briefing on the threat last Friday, with plans to go public over the coming week with a new strategy for responding to it.
The FBI, which is the lead federal agency for investigating cyberattacks and countering foreign intelligence operations in the United States, did not answer repeated requests for comment. The bureau partnered with the NSA, the State Department, and South Korean government agencies in issuing a cybersecurity advisory on Thursday evening warning of social engineering and hacking threats posed by Kimsuky.
Another former U.S. intelligence official, who spoke on the condition of anonymity, said that on at least one occasion, North Korean hackers had contacted them via an email address claiming to belong to Jung H. Pak, the State Department’s deputy special representative for North Korea.
The former official became suspicious and contacted Ms. Pak via a separate email channel and she said: “No, that’s not me and other people have reported receiving that as well.”
The developments come amid heightened tensions surrounding North Korea, a military treaty ally of China. North Korea has engaged in a slate of missile and nuclear weapons provocations in recent years against a backdrop of increasing regional security cooperation between the U.S. and its allies South Korea and Japan.
Most recently, the Biden administration announced that Washington will soon deploy a nuclear weapons-armed submarine to South Korea for the first time in more than 40 years.
Links to North Korean intelligence
Mandiant, which has tracked North Korean hacking operations for the past five years, published findings in March asserting that the hackers are linked to North Korea’s main foreign intelligence service, the Reconnaissance General Bureau, or RGB.
The hackers, identified by Mandiant as APT43, have been observed in cyberspace targeting businesses, governments and researchers in the U.S., Europe, South Korea and Japan.
Mandiant cyber espionage analysis senior manager Benjamin Reed has more recently said that the firm has observed APT43 hackers targeting media organizations, including employees at The Times.
“We also have [uncovered] some of the ways in which this was done, sort of the infrastructure that was used,” Mr. Reed said in an interview. “We have other, kind of technical ways of linking back to this group.”
He declined to elaborate on how Mandiant obtained information about APT43’s targeting.
Google’s Threat Analysis Group, which works to combat government-based hacking and cyberattacks, is also involved in identifying the nature of the threat, and has tracked the North Korean hackers since 2012.
Adam Weidemann, who works in the Threat Analysis Group, published a blog post in April saying the North Korean hackers’ targets included government and military personnel, think tanks, policymakers, academics and researchers.
He told The Times in an interview that his team homed in on a subset of the hackers, which Google calls ARCHIPELAGO. The hackers’ techniques were initially rudimentary, he said, but he has watched them closely as they have mastered their art.
“Plenty of adversaries are impatient and, first email, it’s like, ‘Here, click this, executable,’” Mr. Weidemann said. “ARCHIPELAGO, we’ve seen in cases like well over a month, they’ll send emails back and forth with a target, and have that target fully believing that this person is harmless and they are who they say they are.”
A growing hit list
Smash-and-grab digital intrusions to get funding for its nuclear program are in North Korea’s cyberattacker playbook. So is more sophisticated impersonation.
A 2020 article by The Times revealed how Suzanne Scholte became aware of attempts to hack her email.
Ms. Scholte, who was involved in efforts to broadcast shortwave radio and other informational messages from South Korea into North Korea, said the hackers also impersonated a South Korean diplomat. She suspected that North Korean intelligence officials were aiming to undermine her work.
The more recent activity has targeted a wider group in Washington.
Robert Manning, a former State Department official and intelligence community adviser, said he received an email from the North Korean hackers mimicking a colleague, changing only the colleague’s middle initial.
Upon learning of the impersonation effort, Mr. Manning’s colleague said sorry for the confusion caused by the North Korean hackers — and then the hackers imitated that message and issued their own apology.
“They pretended they were sending me a piece to review,” Mr. Manning said. “And so it’s very easy to mistake because it looks like his email if you don’t carefully look at the one letter, a middle initial, and fortunately, I didn’t click on the link.”
Patrick Cronin, an expert who chairs Asia-Pacific security at the Hudson Institute, said he was recently notified of efforts to target his email account and is aware of previous efforts by North Korean hackers dating back years.
At least 50 researchers have been targeted and North Korea’s efforts have grown more sophisticated in recent months, according to Mr. Cronin, who told The Times that the hackers’ English has improved.
After a recent meeting with a South Korean government official in Washington, Mr. Cronin said, he soon received an email from someone impersonating that official. The experience made him wonder whether someone affiliated with the hackers had observed his whereabouts.
Mr. DeTrani, meanwhile, said he was incensed to learn of the impersonation operation against him. As a seasoned diplomat with decades of experience working in the region, he is no stranger to North Korean subterfuge, but he said he could not refrain from having an emotional response to being targeted.
“It’s anger. It’s anger that they’re using these tools to collect,” said Mr. DeTrani, who praised the work of outfits such as Mandiant in tracking the North Koreans but remained concerned about the lack of awareness of the threat.
At least two high-level representatives of The Times involved in producing “The Washington Brief,” a virtual, monthly event series backed by The Washington Times Foundation and regularly hosted by Mr. DeTrani, are among those who have been targeted.
Over the past two years, The Washington Brief has featured appearances by a wide range of former and current high-level U.S. officials focused on North Korea.
“Are we prepared?” Mr. DeTrani asked. “Should we be more prepared?”
Penetrating systems
The sophistication of North Korean cyber operations made global headlines in 2014 when a massive hack of Sony Pictures that was blamed on Pyongyang saw troves of confidential data from the company leak.
At the time, the movie studio was making a film that mocked Kim Jong Un.
Mr. Klingner cited hacking operations dating back as far as 2014 that resulted in the theft of millions of dollars from international financial institutions and cryptocurrency exchanges in Bangladesh, Chile, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey and Vietnam.
Mr. Klingner told The Times those cybertheft operations followed the same “modus operandi” as the bogus email spear-phishing campaign targeting U.S. experts. The hackers start by luring bank employees, and over many months, succeed in either penetrating a bank’s system through malware or gleaning enough sensitive information from the targeted individual to carry out fraud.
He cited a 2016 incident in which North Korean hackers stole $81 million from the Central Bank of Bangladesh’s New York Federal Reserve account. An attempt by the hackers to steal an additional $851 million was thwarted.
With that as a backdrop, the Biden administration is seen to be marshaling federal agencies to get answers to difficult questions about the North Korean hacking.
Top White House cyber official Anne Neuberger said in May that North Korean cyber operations that generate funding for the Kim regime’s missile programs are eating up “a lot of time and thought” in the administration.
The Treasury Department is tracking funding for North Korea’s cyberattacks and the departments of Defense and State are digging for information on the identity of the attackers, according to Ms. Neuberger, White House deputy national security adviser.
She listed questions that federal agencies are seeking to answer at a Center for Strategic and International Studies event, including whether U.S. officials may have overlooked a potential presence of North Korean operatives in the global tech industry.
“How could it be that a country like the DPRK is so darn creative in this space?” she said. “Is there a link between the fact that they have tech workers building some of the software around the world and perhaps the success of their offensive cyber teams in magically finding and exploiting vulnerabilities and gleaning hundreds of millions of dollars?”
The Treasury Department’s Office of Foreign Assets Control sanctioned four entities and one individual in May for malicious cyber activities that support North Korea.
The FBI, Treasury and Justice Department published an advisory in May warning people against unknowingly hiring and using North Korean information technology workers.
Update: This article was updated June 4, to clarify the role of Mandiant in identifying the nature of the cyber threat. After the initial online publication of the article, Mandiant said it does not have access to a list of the targets of North Korea’s cyber campaign. Mandiant also said it has shared details of the threat with its colleagues at Google’s Threat Analysis Group.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
• Guy Taylor can be reached at gtaylor@washingtontimes.com.
Please read our comment policy before commenting.