Passthrough – Joint CSA: North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts

The FBI, the Department of State, and the NSA jointly issued an advisory to highlight attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. The report contains background on the DPRK’s cyber program and past information-gathering examples, an explanation of how a strong DMARC policy can help block DPRK actors, red flag indicators of malicious activity, two sample emails used by DPRK cyber actors, and mitigation measures.

The authoring agencies seek to bring awareness of these campaigns to degrade or minimize the effectiveness of Kimsuky spearphishing operations. This advisory provides detailed information on how Kimsuky actors exploit DMARC policies; red flags to consider when encountering common themes and campaigns; and general mitigation measures for entities worldwide to implement to better protect against Kimsuky’s computer network exploitation (CNE) operations. To access the full joint CSA, visit NSA.gov.

Additional Resources Pertaining to Social Engineering and DMARC Hygiene:

• DMARC – The Next Step in Email Hygiene and Security | Tripwire
• Cyber Resilience – Fending Off Modern Spam Tactics  | WaterISAC