The IT Nerd

The FBI has issued a warning that North Korean state-sponsored threat actor Kimsuky is actively targeting government agencies, academic institutions, and think tanks using spear-phishing emails that contain malicious QR codes. This technique, known as “quishing,” bypasses traditional email security by embedding QR codes instead of clickable URLs, forcing victims to use unmanaged mobile devices.

Once scanned, the QR codes redirect victims through attacker-controlled domains that collect device and location data before serving mobile-optimized phishing pages impersonating Microsoft 365, Okta, or VPN login portals. By stealing session cookies, attackers can bypass MFA and hijack cloud identities. Because the initial compromise occurs outside standard EDR and network visibility, the FBI now considers quishing a high-confidence, MFA-resilient identity intrusion vector. Kimsuky has used this approach in recent espionage campaigns and has been active since at least 2012.

Chris Pierson, Founder and CEO, BlackCloak had this to say:

“Quishing is a reminder that attackers are deliberately shifting the point of compromise away from corporate infrastructure and onto personal, unmanaged devices where security controls are weakest. When executives or staff scan a QR code on their phone, they are often stepping completely outside the organization’s detection and response capabilities. That makes identity theft and session hijacking far more likely, even in environments with MFA enabled. Organizations need to treat mobile devices and digital behavior as part of the attack surface, not an edge case. Executive protection strategies must account for how attackers blend convenience, trust, and mobile workflows to bypass traditional defenses.”

Will Baxter, Field CISO, Team Cymru follows with this:

“Kimsuky’s use of quishing highlights a broader shift among nation-state actors toward identity-centric intrusion rather than malware-heavy attack chains. QR-based phishing evades traditional email controls while allowing attackers to profile the victim’s device and environment before delivering tailored lures. When session cookies or cloud tokens are stolen, MFA can be bypassed entirely, turning identities into reusable assets for follow-on espionage. This is why defenders need visibility beyond the network edge—correlating external threat intelligence with identity telemetry to spot infrastructure reuse and disrupt these campaigns earlier in the kill chain.”

If you want to learn more about Quishing and how to protect yourself, this link from Cloudflare can help you. This is handy information as this is clearly a popular means of attack from threat actors.

The thing about cyberattacks is that if the threat actors get paid via say ransomware or outright theft, they need to launder the money somehow so that they can spend it. Otherwise it would have been pointless to “acquire” the cash. Well a new report from The Record shows what the Lazarus Group based out of North Korea will do to launder money:

North Korea’s Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November.  

Investigators at blockchain research company Elliptic said on Friday that in the last day they had  seen the funds — part of the $112.5 million stolen from the HTX cryptocurrency exchange in November — laundered through the Tornado Cash mixing service.  

The use of Tornado Cash stood out to Elliptic because the service was sanctioned by U.S. authorities in August 2022, prompting Lazarus actors to turn to another mixing service called Sinbad.io. The U.S. Treasury Department sanctioned Sinbad.io in November. 

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail,” Elliptic said, noting that the hackers sent the more than $23 million in about 60 transactions.  

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io,” the company said. 

The researchers noted that Tornado Cash has been able to continue operating despite the sanctions because it runs on decentralized blockchains, meaning it “cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been.”

Ken Westin, Field CISO, Panther Labs had this comment:

The Lazarus threat group from North Korea have been primarily targeting the crypto currency, financial services and cybersecurity industries. Their techniques focus primarily on developers through social engineering attacks to gain access to code repositories, devops and cloud infrastructure with the goal of gaining access to crypto wallets and accounts, as well as access to code and secrets. These attacks have proven to be quite lucrative, and by stealing cryptocurrency, has provided the North Korean regime a method to evade financial sanctions and further fund their military endeavors. This should be a bigger cause for concern for the the US government and its allies given the collaboration North Korea has with helping the Russian military, where it recently shipped 7K containers of munitions and other military supplies. Although the US has been cracking down on crypto currency mixing services, which are commonly used to launder money through crypto exchanges, North Korea has still been able to take advantage of the rising value of crypto currencies and continue to use these services to convert stolen crypto currency to fund their military operations.

This illustrates how hard it is so shut down avenues for groups like this one to launder money. That means that nations really have to redouble their efforts to make harder and harder for groups to launder money. That way it makes it less profitable for these groups.

You might recall that I posted a story on North Koreans posing to get IT jobs in the US. I have a follow up on that story with a bit of a twist. ESET researchers sent a series of tweets outlining a cyberespionage campaign by North Korean APT group Lazarus that is targeting Apple and Intel chip systems via a fake engineering job post supposedly from Coinbase.

Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi had this to say:

“The North Korean APT group Lazarus has made a real name for itself with its cyberespionage campaigns, and this attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals. Our research shows that the proceeds of cybercriminal activities from North Korean APT groups are being used to circumvent international sanctions and gather intelligence. The money from such attacks is being funnelled directly into the DPRK’s weapons programmes, and any intel gathered could also be used against its enemies.”

“A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates has become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use signed certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long-standing interest in the malicious use of machine identities. This attack makes use of a similar technique so could deal similar damage as Lazarus understands machine identity and exploits it so effectively, whilst it’s still such a blind spot for many organizations.”

The North Koreans are clearly looking for new angles to get whatever it is they are looking for. Which of course is bad for all of us. Thus businesses everywhere have to be on guard for whatever they have planned next.

Reuters is reporting on a new confidential UN report outlining fresh preparations for nuclear weapons testing in North Korea. The report cites previous concerns from the UN around cybercrime being a key revenue stream for North Korea’s weapons program:

The U.N. monitors also said investigations had shown Pyongyang was to blame for stealing hundreds of millions of dollars worth of crypto assets in at least one major hack. The monitors have previously accused North Korea of carrying out cyber attacks to fund its nuclear and missile programs.

“Other cyber activity focusing on stealing information and more traditional means of obtaining information and materials of value to DPRK’s prohibited programmes, including WMD (weapons of mass destruction), continued,” the monitors wrote.

Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi had this comment:

“The latest report from the United Nations on North Korean nuclear tests should sound the klaxon of alarm for Western businesses, especially as it specifically mentions cyberattacks being a key source of funding. Our research shows that the proceeds of cybercriminal activities from infamous groups such as Lazarus and APT38 are being used to circumvent international sanctions in North Korea. This money is being funnelled directly into weapons programs. And because developing nuclear weapons is expensive, especially in the face of rising inflation and the cryptocurrency crash, companies should be on high alert that the DPRK will be looking to cash in now and help feed their weapons programs and fund ongoing weapon development.” 

“A key component of North Korean nation state attacks are code signing machine identities, which have become the modus operandi for many of its cybercrime groups. These digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices. We’ve seen countless times how North Korean hackers use stolen certificates to access networks, passing malicious software off as legitimate and enabling them to launch devastating supply chain attacks. Incidents such as the 2014 Sony Hack, or the $101 million heist of the Bangladesh Bank via the SWIFT banking system, have demonstrated North Korea’s long standing interest in the malicious use of machine identities. While the latest UN report is an important step in broadcasting this issue to the world, we still need to see governments and businesses act together and share intelligence on these attacks. This will be key to building knowledge on the importance of machine identities in security. If not, we’ll continue to see North Korean threat actors thrive.”

I think it’s safe to say that businesses have a new reason to make sure that their cyber defences are on point. The North Koreans have been extremely active threat actors in the past. And based on this report, they’re about to get a whole lot more active. Which is bad news for the rest of us.

I have to admit that reading this story from The Guardian was not on my bingo card when I woke up this morning. U.S. officials have warned businesses against inadvertently hiring IT staff from North Korea, claiming that rogue freelancers were taking advantage of remote work opportunities to hide their true identities with the intent of earning money for Pyongyang.

An advisory issued by the state and treasury departments and the FBI said the effort was intended to circumvent US and UN sanctions, and bring in money for North Korea’s nuclear weapons and ballistic missile programs. The officials said companies who hired and paid such workers may be exposing themselves to legal consequences for sanctions violations.

“There are thousands of DPRK IT workers both dispatched overseas and located within the DPRK, generating revenue that is remitted back to the North Korean government.

“These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and east Asia.”

North Korean workers pretended to be from South Korea, Japan, or other Asian countries, the advisory said. It laid out a series of red flags that employers should watch for, including a refusal to participate in video calls and requests to receive payments in virtual currency.

Kevin Bocek, VP, Security Strategy and Threat Intelligence for Venafi had this comment:

“Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organisations. They are often well funded, highly sophisticated, and – as we’re seeing with this FBI warning – capable of thinking outside the box to find new ways to attack networks, as we’re now seeing with rogue freelancers hacking from within. Our recent research shows that cybercrime has become a primary means of revenue generation in North Korea, and APT groups are helping it to work outside of international sanctions, funding political and military gains. In fact, it’s estimated that up to $2bn makes its way directly into North Korea’s weapons program each year as a result of nation state cybercrime.

“Ultimately, there’s no telling what these rogue freelancers are after. The targets that spring to mind are data theft or potentially funds, but we’ve seen in the past that North Korean APT groups have made use of stolen code signing identities in devastating nation state attacks, so they’re likely to be on the table as well. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in software supply chain attacks.

“Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer. For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense. Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands.”

It does beg the question if other countries with dodgy reputations like Russia and China are doing something similar. I’d be interested in knowing that answer as it likely would influence how safe we all are.