North Korea-linked TA406 cyberespionage group activity in 2021

Pierluigi Paganini November 19, 2021

North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns.

A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (KimsukyThallium, and Konni, Black Banshee, Velvet Chollima) has intensified its operations in 2021.

The TA406 cyber espionage group was first spotted by Kaspersky researchers in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information of their TTPs and infrastructure.

The APT group mainly targeting think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

Since 2018, Proofpoint researchers tracked the activity associated with TA406 as three distinct threat actors, namely TA406, TA408 and TA427.

Since the beginning of 2021, the TA406 group has carried out multiple credential theft campaigns targeting research, education, government, media and other organizations. TA406 doesn’t usually employ malware in its campaigns, however, researchers tracked two campaigns that were attempting to distribute information-stealer malware.

Malware strains associated with the activity of this nation-state actors include KONNI, SANNY, CARROTBAT/CARROTBALL, BabyShark, Amadey and Android Moez.


From January through June 2021, the cyberespionage group mainly targeted foreign policy experts, journalists and
nongovernmental organizations (NGOs), focusing on entities involved in activities in line with the interest of Pyongyang. In March, the group orchestrated a malware campaign targeting North American entities.

Another campaign conducted in March 2021 targeted several entities not previously observed as targets for TA406. The targets included some of the highest-ranking elected officials of several different governmental institutions, an employee of a consulting firm, government institutions related to defense, law enforcement, and economy and finance, and generic mailboxes for board and customer relations of a large financial institution.

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report.

The group, like other North Korea-linked APT groups has been engaged in financially-motivated attacks, including sextortion and attacks against cryptocurrency.

“Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment