Proofpoint Inc. is a private U.S. enterprise cybersecurity company that, among other things, specializes in threat actor analysis and tracking, thanks to its high visibility in this area. The new report by Proofpoint, titled “Triple Threat: North Korea-Aligned TA406 Steals, Scams, and Spies” has brought to light significant details about the threat actors’ activity throughout 2021, among other findings. It is well-established in the cybersecurity community that Russia and China are known cybercrime perpetrators; however, it is sometimes easy to forget that nation-state North Korea (DPRK) also has a hefty cybercrime dossier when it comes to hacking activities, malware distribution, and connections to high-profile APT-related cyber incidents. Likewise, Iran also shares some of these attributes.
Who is TA406?
TA406 is a cyber threat actor that is confirmed to be aligned with North Korean APT groups. Proofpoint’s research indicates that TA406 is known for credential theft campaigns, distribution of malware, cybercrime, espionage, and sextortion. According to Proofpoint, threat actor TA406 is considered to be one of several such actors connected with cyber threat activity traced to Konni Group, Kimsuky, and Thallium.
Key Points in Proofpoint’s New Report
The fresh 49-page report throws a wide lens on the North Korean cyber threat scene timeline in 2021, as well as sheds focused light on the multi-talented, highly-skilled TA406. Proofpoint emphasized that they have described, “in detail many of the campaigns and behaviors associated with an actor operating on behalf of the North Korean Government” in the report. Apparently, security researchers have been tracking TA406’s arsenal of cybercrime tools, attack vectors, and scam methods since 2018. In 2018, the threat actor’s activity was low, “until the beginning of January 2021.” From January 2021 onwards, the report confirms, “almost two weekly campaigns targeting foreign policy experts, journalists, and nongovernmental organizations (NGOs).” Some other key points in the report, as well as specific details on the “financially motivated” threat actor TA406, comprise the following;
Throughout 2021, TA406 was responsible for credential theft campaigns targeting several sectors including media, government, education, research, and others Proofpoint has correlated TA406’s activity to Kimsuky, Thallium, and Konni (known for remote access trojans) threat groups Two malware campaigns in 2021 attempted to distribute malware in 2021 utilized for information gathering Confirmation that TA406 participates in sextortion, espionage, cybercrime activities such as cryptocurrency theft, and social engineering scam campaigns Kimsuky threat group activity has revealed two more DPRK threat actors known as TA408 and TA427 as well as several other unidentified actors Threat actor members primarily reside in Russia, China, and North America frequently masquerading, “as Russian diplomats and academics, Ministry of Foreign Affairs representatives, human rights officials or Korean individuals.”
A rather quirky detail in the report points to a pattern that all threat actor activities have in common: “The attacks are usually launched between 9 a.m. and 5 p.m. North Korean time, with a few exceptions. They also seemingly take a break for lunch.”
Report Contains Data on Two Previously Unpublished “Implants”
Proofpoint’s report includes two “implants” that have not been previously disclosed in open-source reporting, among which is one known as “FatBoy malware” — a type of ransomware offered as part of Ransomware-as-a-Service (RaaS.) The report also reveals a “Notable TA406 Malware” keylogger known as “YoreKey.”
Threat Activity Expected to Escalate
Proofpoint’s report confirms their suspicions of the state-backed threat actors’ unshakable loyalty to Pyongyang: “This threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government.” It comes as no surprise that the unrelenting nation-state will remain steadfast in attempting to topple its Western adversaries. As described in an article by The New Yorker, “The Reconnaissance General Bureau are trained specifically for this purpose. In 2013, Kim Jong Un described the men who worked in the “brave R.G.B.” as his “warriors… for the construction of a strong and prosperous nation.” North Korea “is the only nation in the world whose government is known to conduct nakedly criminal hacking for monetary gain.”