A newly identified North Korean cyber group, APT43, has been linked to multiple campaigns aimed at gathering strategic intelligence in line with Pyongyang’s geopolitical interests since 2018. Tracked by Google-owned Mandiant, APT43’s objectives include both espionage and financial motives, employing methods such as credential harvesting and social engineering to achieve its goals.
APT43 attempts to generate funds through its attack campaigns to support its primary mission of collecting strategic intelligence. The group targets various sectors in South Korea, the U.S., Japan, and Europe, including government, education, research, policy institutes, business services, and manufacturing industries. Additionally, it has demonstrated its adaptability by attacking health-related and pharmaceutical companies from October 2020 to October 2021.
Mandiant researchers describe APT43 as a prolific cyber operator supporting North Korea’s interests, combining moderately sophisticated technical capabilities with aggressive social engineering tactics. The group’s activities are believed to align with North Korea’s foreign intelligence agency, the Reconnaissance General Bureau (RGB), and share tactical similarities with another hacking group known as Kimsuky.
APT43 has been observed using tools previously linked to other RGB-associated groups, such as the Lazarus Group. The group’s attack methods often involve spear-phishing emails with targeted lures, using spoofed and fraudulent personas to gain victims’ trust. The group is also known to exploit stolen contact lists to identify more targets and steal cryptocurrency to fund its attack infrastructure.
The primary objective of APT43’s attacks is to facilitate credential collection campaigns through domains mimicking legitimate services and create online personas with the gathered data. Mandiant notes the prevalence of financially motivated activities among North Korean groups, suggesting a widespread mandate to self-fund and sustain themselves without additional resources.
APT43 utilizes a mix of custom and publicly available malware, including LATEOP (aka BabyShark), FastFire, gh0st RAT, Quasar RAT, Amadey, and an Android version of a Windows-based downloader called PENCILDOWN. These findings follow recent warnings from German and South Korean government agencies about cyber attacks by Kimsuky using rogue browser extensions to steal Gmail inboxes.
Mandiant emphasizes APT43’s responsiveness to Pyongyang’s leadership demands, highlighting the group’s high activity levels. While spear-phishing and credential collection against the government, military, and diplomatic organizations remain core tasks, APT43 adapts its targets and tactics to suit its sponsors, engaging in financially motivated cybercrime as needed to support the regime.