www.recordedfuture.com Open in urlscan Pro
104.18.43.111  Public Scan

URL: https://www.recordedfuture.com/north-korea-aligned-tag-71-spoofs-financial-institutions
Submission: On November 23 via api from US — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept

 * Careers
 * Contact Us
 * Login
 * ENJPKO
   
   EN
   

 * Platform
 * Solutions
 * Products
 * Services
 * Research
 * Resources
 * Company

Get a demo

Book a demo



Research (Insikt)


NORTH KOREA-ALIGNED TAG-71 SPOOFS FINANCIAL INSTITUTIONS IN ASIA AND US

Posted: 6th June 2023
By: Insikt Group®


Insikt Group has discovered malicious cyber threat activity spoofing several
financial institutions and venture capital firms in Japan, Vietnam, and the
United States. The group responsible, referred to as Threat Activity Group 71
(TAG-71), has significant overlaps with the North Korean state-sponsored APT38.
Between September 2022 and March 2023, Insikt Group discovered 74 domains and 6
malicious files associated with TAG-71's activities.

TAG-71 has previously been observed spoofing domains belonging to financial
firms and cloud services in Japan, Taiwan, and the United States. In March 2022,
Insikt Group identified 18 malicious servers tied to TAG-71, which were also
linked to the publicly reported CryptoCore campaign. These servers were used for
malware delivery, phishing, and command and control operations, often
impersonating popular cloud services and cryptocurrency exchanges.

The North Korean government has a history of financially motivated intrusion
campaigns, targeting cryptocurrency exchanges, commercial banks, and e-commerce
payment systems worldwide. TAG-71's recent activities align with this pattern,
indicating North Korea's ongoing efforts to generate funds while facing
international sanctions. The spoofing of investment banking and venture capital
firms poses risks such as exposure of sensitive information, legal consequences,
disrupted negotiations, or damage to strategic investment portfolios.

Select IOCs for TAG-71 mapped to the Diamond Model of Intrusion Analysis in the
Recorded Future Intelligence Cloud

To mitigate TAG-71's activities, Insikt Group recommends configuring intrusion
detection systems to block connections to the IP addresses and domains
associated with the group. Clients of Recorded Future, Insikt Group's parent
company, should also block command and control servers logged in the Command and
Control Security Control Feed. Additionally, organizations should enforce
security awareness among employees and customers to recognize phishing attempts,
suspicious domains, and fraudulent documents. Monitoring for domain abuse and
initiating takedowns of fraudulent domains through Recorded Future's Brand
Intelligence module is also advised.

Overall, TAG-71's campaign aligns with North Korean state-sponsored threat
actors' past activities, posing risks to financial and investment firms and
their customers. Implementing the recommended mitigation measures can help
protect organizations from these malicious activities.

To read the entire analysis with endnotes, click here to download the report as
a PDF.



RELATED RESEARCH (INSIKT)

Research (Insikt)

AS BLACK FRIDAY APPROACHES, 3 KEY TRENDS OFFER INSIGHTS FOR MITIGATING ONLINE
SHOPPING SCAMS

Insikt Group's analysis of high-impact scam website campaigns before Black
Friday reveals key scammer themes and protective measures for consumers and
businesses.

View Research (Insikt)
Research (Insikt)

IMPROVING AUTOMATION AND ACCESSIBILITY DRIVE $100 BILLION IN PROJECTED AD FRAUD
LOSSES

Ad fraud, amplified by automation and accessible bot software, inflates ad
metrics for personal gain, lowering entry barriers and escalating its threat.

View Research (Insikt)
Research (Insikt)

CHARTING CHINA’S CLIMB AS A LEADING GLOBAL CYBER POWER

Chinese state-sponsored cyber operations have transformed, emerging as a more
mature, stealthy, and coordinated threat than in previous years.

View Research (Insikt)


ABOUT US

 * Intelligence Cloud
 * Services & Support
 * Why Recorded Future
 * Research
 * Resources
 * Company

HELPFUL LINKS

 * Careers
 * Contact Us
 * Get a Demo
 * The Intelligence Graph

--------------------------------------------------------------------------------

JOIN US ONLINE

 * 
 * 
 * 
 * 
 * 

READY TO JOIN?

Contact us today

Copyright © 2023 Recorded Future, Inc.
 * Security FAQ
 * Cookies
 * Privacy Policy
 * Terms & Conditions