The adversary, also known as Kimsuky, Thallium, and Konni, has been attacking companies in areas including education, government, media, research, and other businesses. As per Proofpoint, TA406 is the most closely associated with Kimsuky activity, which the security firm tracks as three distinct threat actors: TA408, TA406, and TA427.
The company said their analysts have been tracking TA406 ads aiming at consumers since 2018, but these campaigns’ number has remained minimal until the beginning of January 2021. During the first half of the year, Proofpoint noticed weekly assaults against journalists, foreign policy experts, and nongovernmental organizations (NGOs), particularly those related to actions affecting the Korean Peninsula. Journalists and academics were also attacked.
TA406 targeted high-ranking political figures at numerous governmental institutions, a consultancy business, defense institutions, law enforcement agencies, and economics and financial groups as part of a March 2021 campaign. The majority of TA406’s targets are in North America, China, and Russia.
The adversary is known to be active since 2012. While it doesn’t usually employ malware in its operations, the espionage activities seen in 2021 were marked by the employment of both malware and credential harvesting.
Amadey, BabyShark, Android Moez, FatBoy, CARROTBAT/CARROTBALL, SANNY, KONNI, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. According to the security experts, TA406 has been involved in financially driven attacks, such as sextortion and the targeting of bitcoin, just like other North Korean state-sponsored actors.
Proofpoint believes TA406 is acting on behalf of the North Korean government with high confidence. According to Proofpoint, this malicious actor will continue to execute corporate identity theft operations regularly, primarily targeting businesses of relevance to the North Korean government.