Foreign Policy Experts, Journalists and NGOs Target of North Korea-Aligned Threat Actor


Proofpoint has released a report showing substantial new threat research into a North Korea-aligned threat actor, TA406.

TA406 has targeted foreign policy experts, journalists and nongovernmental organisations (NGOs) with credential theft campaigns in almost weekly campaigns throughout the first half of 2021.

Key details from the new research include:

  • TA406 – which is widely associated with Kimsuky, a threat actor name broadly tracked by the threat intelligence community – is known for engaging in espionage, cyber crime and sextortion and for employing both malware and credential harvesting in information-gathering campaigns.
  • Proofpoint’s new report details several examples of each, including two implants used by TA406 that haven’t been discussed before in open-source reporting. And finally, provides evidence that TA406 conducts financially motivated campaigns, including cryptocurrency and sextortion.
  • One of the campaigns detailed in the report occurred around March 2021 at the time of the North Korean missile tests and targeted several organisations and individuals not previously observed as targets for TA406, including some of the highest- ranking elected officials of several different governmental institutions, an employee at a consulting firm, government institutions related to defence, law enforcement and more.

Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint, has provided the following commentary: “What’s most notable about this North Korea-aligned threat actor is their penchant for reusing the same tactics and targeting the same individuals over and over again. They also have used everything from sextortion to legitimate services in the name of financial gain. This extreme level of persistence and flexibility are hallmarks of TA406, and reasons everyone from foreign policy experts, to academics, to journalists must remain vigilant.”

You can read the full report here.