Behind the Screens: North Korea’s Focus on DMARC in Email Espionage

If you missed our recent virtual fireside chat “Behind the Screens: North Korea’s Focus on DMARC in Email Espionage,” or couldn’t attend due to geographical restrictions, we’ve got you covered. 

Joined by cybersecurity experts from the Federal Bureau of Investigation (FBI) and Stanford University, together with Red Sift, the session explored how the North Korean cyber-espionage group Kimsuky has been operating. An advanced persistent threat (APT) actor active since at least 2012, Kimusky has exploited poorly configured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to launch spear-phishing campaigns. 

The panel featured Natalie Wilson, Special Agent at the FBI; Emily Tinao, Intelligence Analyst at the FBI; Dr. Herb Lin, Senior Research Scholar at Stanford University and the Hoover Institute; and Dr. Sean Costigan, Managing Director of Resilience Strategy at Red Sift. Together, they provided crucial insights into strengthening email security to counter these threats.

Let’s bring you up to speed

Kimsuky’s primary aim is to use cyber-espionage activities to gather intelligence rather than cause disruption or steal financial data. As part of its long standing intelligence-gathering campaigns, the APT group has been targeting a range of US and allied organizations, such as universities, think tanks, and nonprofits, to gather sensitive geopolitical information to support the North Korean regime. 

In a joint advisory issued in May 2024 by the FBI, NSA, and State Department outlined how Kimsuky has been using DMARC misconfigurations to access valuable intelligence. This shift in focus toward gathering sensitive information on nuclear policies and sanctions highlights how important it is for organizations—particularly universities and think tanks—to secure their digital assets. 

Through spear phishing, the North Korean APT group makes use of highly tailored and deceptive emails designed to mimic trusted sources, such as government officials, journalists, or senior officials. This method lures targets into clicking links or opening weaponized attachments, containing harmful malware or a malicious web address.

The exploitation of DMARC

The FBI emphasized that Kimsuky’s success largely comes from exploiting poorly configured or managed DMARC, bypassing email security and allowing for illegitimate impersonation. This has enabled Kimsuky to carry out increasingly sophisticated intelligence-focused operations, moving away from the traditional financial cyber crimes associated with North Korean APT groups. The FBI pointed out the need for improved cyber hygiene, as many organizations still lack the proper configurations necessary to prevent these types of attacks.

Expanding on Kimsuky’s spear phishing techniques, the FBI team explained that the group often infiltrates trusted networks and sends emails that appear to come from legitimate sources. This tactic helps Kimsuky gain the trust of high-profile targets before delivering harmful content, such as malicious links or attachments. The FBI further noted the need for organizations to pay attention to their DMARC policies to reduce vulnerabilities and prevent these phishing campaigns from escalating into larger cyberattacks.

A broader challenge beyond DMARC

Kimsuky’s tactics, techniques, and procedures raise larger cybersecurity concerns including national security implications and the risk of offensive cyber operations. Dr. Lin noted how universities and think tanks, which generate valuable intellectual property and are seen by adversaries as instrumental to understanding or influencing US policy, are especially attractive targets for Kimsuky and similar nation-state groups. Lin stressed the need for organizations to prioritize cybersecurity as part of a comprehensive defense against nation-state cyber threats. 

Dr. Costigan offered practical advice for institutions, highlighting that threat actors like Kimsuky actively search for misconfigured or incomplete DMARC policies to exploit. He encouraged organizations to promptly review and update their DMARC settings, noting that there are efficient and effective ways to improve email security. 

Ensuring that DMARC is properly configured not only helps prevent phishing attacks but also strengthens overall organizational resilience. There is a great deal of room to further improve cybersecurity. PwC’s recent 2025 Global Digital Trust Insights survey details that only 2% have implemented firm-wide cyber resilience, despite a 77% expectation of budget increase management of cybersecurity.  On the positive side, DMARC adoption is improving thanks in part to the recent Google and Yahoo! email requirement for bulk senders and global mandates for DMARC compliance.

Final takeaways and how to protect yourself

There was considerable information covered during the session and the invaluable insights shared by all speakers will be crucial to ensuring stronger cybersecurity protection, particularly against sophisticated actors as the APT group. Dr. Costigan summarizes the three key takeaways from the session below: 

  1. Universities and think tanks create sensitive information and considerable intellectual property. As such, they are prime targets for cyber exploitation by APT groups like Kimsuky.
  2. Threat actors are on the hunt for weaknesses and opportunities. Taking advantage of incomplete or poorly configured DMARC is squarely in their wheelhouse and we can expect more cybercriminal and APT groups to follow Kimsuky’s lead.
  3. If you are on the risk or cyber team for your institution, or even if you are simply interested in improving your organization’s cyber resilience, check your DMARC policy. If it’s non existent, incomplete, or improperly configured, know that there are rapid and cost-effective means to achieve security.

The fireside chat highlighted the pressing need for trusted public-private partnerships to help organizations take action against APT threats. The FBI asked for universities, think-tanks, and nonprofits to share when they are feeling pressure from nation-state groups and also improve their DMARC configurations and cyber hygiene practices. 

While Kimsuky’s tactics evolve, they often rely on weaknesses that can be easily strengthened. Proactive measures to secure email systems like DMARC can significantly reduce the risks posed by these advanced persistent threat groups, making it clear that robust cybersecurity protocols are not optional but essential in today’s digital landscape.

_________

Meet the speakers

Natalie Wilson is a Special Agent on a National Security Cyber Squad. She investigates cyber intrusion matters which relate to PRC and North Korean APT groups. Prior to working cyber matters, Natalie has had an extensive career working Counterintelligence investigations and has over 10 years of experience working Theft of Trade Secrets and Economic Espionage investigations.

Emily Tinao is an Intelligence Analyst (IA) in the New York Field Office of the Federal Bureau of Investigation. Tinao joined the FBI in 2015 and has worked various criminal investigations and national security cyber matters.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in the use of offensive operations in cyberspace as instruments of national policy and in the security dimensions of information warfare and influence operations on national security.

Dr. Sean Costigan is the Managing Director of Resilience Strategy at Red Sift where he oversees and advises on the company’s global policies and strategies. A cybersecurity industry professional, in 2023 Sean received the Serge Lazareff Prize for his contributions to NATO.

PUBLISHED BY

Sean Costigan

17 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more