TA427, also known as Leviathan or TEMP.Periscope, is a cyber espionage group believed to be linked to North Korea. Their primary goal is to gather intelligence on foreign policy matters related to the U.S., South Korea, and other countries of strategic interest to the North Korean regime. TA427 employs a sophisticated attack flow that involves multiple stages:
Reconnaissance and Information Gathering
📌TA427 conducts extensive open-source intelligence (OSINT) gathering to identify potential targets, such as foreign policy experts, think tanks, and academic institutions.
📌They leverage publicly available information to craft tailored lure content and personas that appear legitimate to their targets.
Initial Contact and Social Engineering
📌TA427 initiates contact with targets through spear-phishing emails that appear to be from trusted sources or personas related to North Korean research.
📌The emails often contain timely and relevant content, such as invitations to events, requests for research papers, or questions about foreign policy topics.
📌The goal is to establish a rapport with the targets and engage them in long-term conversations over weeks or months.
DMARC Abuse and Email Spoofing
📌To increase the credibility of their emails, TA427 exploits weak DMARC (Domain-based Message Authentication, Reporting & Conformance) policies to spoof trusted domains and personas.
📌Techniques like typosquatting, private email account spoofing, and the use of free email addresses are employed to impersonate legitimate individuals or organizations.
Profiling and Reconnaissance
📌TA427 incorporates web beacons in their emails to gather basic information about the targets, such as confirming if their email accounts are active.
📌This initial reconnaissance helps the group tailor their subsequent interactions and gather intelligence on the target organization.
Malware Deployment (Optional)
📌While not always necessary, TA427 may attempt to deliver malware or credential harvesters to compromised targets.
📌Techniques like malicious attachments or links may be used to gain further access to the target’s systems or steal sensitive data.
Data Exfiltration and Intelligence Collection
📌The primary objective of TA427 is to gather intelligence on foreign policy matters through the conversations and information shared by the targets.
📌Any stolen data or credentials may also be exfiltrated for further exploitation or intelligence purposes.
Scenarios and Real-World Examples
📌Targeting Foreign Policy Experts: TA427 has directly solicited opinions from foreign policy experts on topics such as nuclear disarmament, U.S.-South Korea policies, and sanctions through benign conversation-starting emails.
📌Spoofing Think Tanks and NGOs: To legitimize their emails and increase the chances of engagement, TA427 has impersonated personas related to think tanks and non-governmental organizations (NGOs).
📌Timely Lure Content: TA427 crafts lure content based on real-world events and international press reporting, making their emails appear highly relevant and credible to the targets.
📌Long-term Engagement: TA427 engages targets over extended periods, constantly rotating aliases and personas to maintain the conversation on similar subject matters.
📌Potential Cryptocurrency Targeting: While not a primary focus, TA427 has shown interest in targeting cryptocurrency platforms like http://blockchain.com in the past, likely for financial gain.