In a recent report, Proofpoint Inc. talks about TA444, a North Korean nation-state group known for targeting cryptocurrencies. The infamous North Korean advanced persistent threat (APT) group has changed its strategy and has been connected to a new wave of email attacks as a part of “sprawling” credential harvesting activity. Also known as Stardust Chollima, this threat group has been linked to numerous cyber heists, leveraging sophisticated social engineering tactics to compromise financial systems and cryptocurrency platforms.
Proofpoint is tracking the state-aligned threat actor under the name TA444, while it is being tracked by others in the cybersecurity community as BlueNoroff, APT38, Copernicium, and Stardust Chollima. This group has been linked to a growing number of credential harvesting attacks, using deceptive phishing campaigns and fake job offers to lure victims into revealing their sensitive login information.
What is Credential Harvesting?
Credential harvesting is a method used by hackers to attack an organization to virtually access their credentials, which usually include emails, email addresses, usernames, and passwords. Several techniques are used to do this and then this information may be sold by the hacker to third parties over the Dark Web. Some of the techniques and processes used by hackers to access credentials illegally include man-in-the-middle (MiTM), DNS poisoning, and phishing.
What is TA444’s Recent Strategy?
According to the report, shared with The Hacker News, TA444 is “utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims.” This state-sponsored group’s motivation is towards making unlawful money for the North Korean regime, rather than the usual reasons like data theft and espionage.
According to The Record, Proofpoint’s senior threat researcher, Greg Lesnewich, TA444, the North Korean advanced persistent threat (APT) group, operates “with a startup mentality and a passion for cryptocurrency.” He went on to say “This threat actor rapidly ideates new attack methods while embracing social media as part of their MO.”
The company told hacker news that, “In 2022, TA444 took its focus on cryptocurrencies to a new level and has taken to mimicking the cybercrime ecosystem by testing a variety of infection chains to help expand its revenue streams.”
The attackers use phishing emails that are tailored to trap the victim, and have malicious attachments like: LNK files and ISO optical disk images. Also, bogus and compromised LinkedIn accounts that belong to company executives are used to engage victims before sending them infected links.
What Are the Basic Security Measures Your Organization Can Take Against Credential Harvesting?
The very first and basic measure is comprehensive password security. It is essential in order to defend against credential harvesting by cybercriminals. The very least every organization should do is:
- Make it mandatory for all employees to use strong and unique passwords for all their accounts
- Have all employees use multi-factor authentication (2FA) on all their accounts, which support it
- Make sure that all your employees use a password manager.
Advancements like cloud computing have made supply chain vulnerabilities a huge threat to all organizations. Your company may not get attacked, but perhaps one of your vendors might be attacked, which will put your organization at risk too. It is a good idea for all organizations to be subscribed to a Dark Web monitoring service. These services scan the Dark Web forums, so they are in a position to inform organizations in case an employee’s password has been compromised and needs to be reset.
Conclusion
As cyber threats continue to evolve, Stardust Chollima and other state-sponsored hacking groups are constantly refining their tactics to exploit organizations worldwide. Understanding what is credential harvesting and how attackers steal sensitive login information is crucial for strengthening cybersecurity defenses. By implementing strong password policies, multi-factor authentication, and Dark Web monitoring services, organizations can significantly reduce the risk of credential harvesting attacks. Staying informed and proactive is the key to safeguarding sensitive data from sophisticated cyber adversaries.
Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.
