Hackers linked to the North Korean regime waged weekly hacking campaigns in 2021, producing a noticeable uptick in activity from years past, cybersecurity company Proofpoint said in a new report Thursday.
Proofpoint analysts have tracked the hacker group called TA406 since 2018, but the volume of their work remained low until 2021 when the hackers began weekly campaigns targeting nongovernmental organizations, foreign policy experts and journalists. The hackers adopted false personas and targeted people in North America, China and Russia, particularly conducting credential-theft campaigns with goals of breaching websites of research, education, government, media and other organizations.
“In early 2021, TA406 began almost weekly campaigns featuring themes that included nuclear weapon safety, U.S. President Joe Biden, Korean foreign policy and other political themes,” read the report from Proofpoint’s Darien Huss and Selena Larson. “The group attempted to collect credentials, such as Microsoft logins or other corporate credentials, from the targeted individuals. In some cases, the emails were benign in nature; these messages may have been attempts by the attackers to engage with victims before sending them a malicious link or attachment.”
The report said TA406 hackers engage in cybercrime, espionage and “sextortion,” which in this context involves extorting cryptocurrency from someone in exchange for not exposing scandalous personal information.
The hackers pretended to be Russian diplomats, academics and Korean individuals, among other false identities. For example, Proofpoint said it observed TA406 from late 2020 to early 2021 impersonating Eunjung Cho, a journalist at Voice of America based in Washington, according to the company’s website.
Proofpoint’s report also contended that TA406 picked new targets, including “some of the highest-ranking elected officials of several different governmental institutions” surrounding the March 2021 missile tests conducted by Pyongyang.
The hacking attempts observed by Proofpoint, which is headquartered in Sunnyvale, California, come as other cybersecurity experts are warning of the rising threat of North Korean cyberattacks in the coming years, particularly given the regime’s lack of allies and economic trading partners.
“North Korea, with its geographical, international and financial challenges, is willing to take a lot of risks,” wrote cybersecurity firm Mandiant in its security predictions for 2022 report published earlier this month. “In 2022, we expect to see North Korea flex its cyber capabilities to make up for its lack of other instruments of national power.”