The US National Security Agency (NSA), alongside the FBI and the State Department, is issuing a warning against North Korean hackers who are using a security flaw to send deceptive emails. These emails appear to come from legitimate internet domains, enhancing the credibility of phishing attacks aimed at intelligence gathering and accessing private documents.
The hackers are exploiting a vulnerability in DMARC, an email verification system intended to prevent such spoofing. Normally, DMARC helps email servers identify and block fraudulent emails by verifying if they truly originate from the claimed domain. However, the North Korean group known as Kimsuky, or APT43, has been bypassing this protection by taking advantage of lenient DMARC policies set to “p=NONE,” which do not instruct servers to take action against unverified emails.
As a result, spearphishing emails, despite failing DMARC checks, are still reaching their intended targets. These phishing attempts often involve impersonations of reputable figures like journalists or experts in East Asian affairs, offering enticing incentives such as speaker fees at conferences to lure in victims.
In response to these activities, the NSA and FBI are urging entities to adjust their DMARC settings to either “quarantine” or “reject” spoofed emails, effectively enhancing their defenses against such cyber threats. This adjustment will help ensure that emails failing DMARC verification are properly flagged as spam or blocked outright, reducing the risk of successful phishing attacks.