North Korean Cyber-criminal Recycles Tactics and Targets

A threat actor believed to be associated with the Democratic People’s Republic of Korea (DPRK) has a certain fondness for repetition, according to new research published today.

In the report Triple Threat: North Korea–Aligned TA406 Scams, Spies, and Steals, researchers at Proofpoint shine a light on the nefarious activity of the threat actor TA406, whose campaigns they have been tracking since 2018.

“What’s most notable about this North Korea–aligned threat actor is their penchant for reusing the same tactics and targeting the same individuals over and over again,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. 

“They also have used everything from sextortion to legitimate services in the name of financial gain.”

Proofpoint’s research team believe TA406 to be one of several actors responsible for cyber-criminal activity publicly tracked as the Kimsuky, Thallium, and Konni Group. 

The researchers also have “high confidence” that TA406 is operating on behalf of the North Korean government. 

TA406 has been conducting espionage-motivated campaigns since at least 2012 and financially motivated campaigns since at least 2018. 

Until January 2021, TA406 campaigns have remained low in volume. However, with the start of the year, the threat actor ramped up their activity to include almost weekly campaigns targeting foreign policy experts, journalists, and non-governmental organizations (NGOs). 

While TA406 has been observed using many different malware families, including KONNI , SANNY, CARROTBAT/CARROTBALL, BabyShark, Amadey and Android Moez, this threat actor isn’t known primarily for campaigns that employ malware.

However, researchers attributed to TA406 two campaign ..

Support the originator by clicking the read the rest link below.