North Korean government hackers focused on gathering strategic intelligence have carried out a series of campaigns against media organizations and high-profile experts in the country’s affairs, while also preparing a campaign likely designed to target cybersecurity researchers, according to a new report from SentinelLabs.
The hacking unit — tracked as ScarCruft and believed to be working out of North Korea’s Ministry of State Security — was observed targeting the same experts repeatedly over November and December 2023, researchers Aleksandar Milenkoski and Tom Hegel reported Monday.
The operation’s targets were sent phishing emails that, if executed, sought to install the RokRAT backdoor, the researchers said.
As part of the research, Milenkoski and Hegel also retrieved malware in the planning and testing phase that used a technical research report on another long-running North Korean hacking campaign, Kimsuky, as a decoy, likely as an upcoming campaign set to target cybersecurity professionals.
“Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target customers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals,” Milenkoski and Hegel wrote.
The group is “likely pursuing non-public cyber threat intelligence and defense strategies,” Milenkoski wrote on LinkedIn. “This could benefit the constituent actors within the North Korean threat landscape, helping them in identifying threats to their operations.”
The approach is a known tactic among those following North Korean hacking operations. A sprawling operation that targeted information security professionals across a variety of social media platforms was uncovered in early 2021, for instance.
Taken together, the ongoing campaigns and the testing-phase malware show “ongoing dedication to gathering strategic intelligence through targeted attacks,” the researchers wrote Monday. The operations show the North Koreans’ “commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses.”