North Korean Cyber Actors Exploiting DMARC Policies

This document is a Joint Cybersecurity Advisory (CSA) issued by the FBI, U.S. Department of State, and NSA, focusing on the exploitation of improperly configured DMARC policies by North Korean Kimsuky cyber actors. It outlines how these actors utilize social engineering tactics, particularly spearphishing, to impersonate legitimate individuals and organizations in order to collect intelligence. The advisory details the methods employed by Kimsuky, including the creation of fake personas and the use of spoofed emails that appear to originate from trusted domains. It emphasizes the importance of properly configuring DMARC policies to prevent email spoofing and provides indicators of potential spearphishing attempts. Additionally, the document includes mitigation measures for organizations to enhance their defenses against these cyber threats. The advisory aims to raise awareness of Kimsuky's operations and encourage reporting of suspicious activities related to North Korean cyber operations.