SentinelLabs, the research division of SentinelOne, has conducted a study into ScarCruft, a suspected North Korean Advanced Persistent Threat (APT) group, known also as APT37 and InkySquid. The group is understood to primarily target individuals, as well as public and private entities based in South Korea.
SentinelLabs has detected campaigns aimed at high-profile experts specialising in North Korean affairs, originating from South Korea's academic sector, and from a news organisation focused on North Korea. The targets have undergone persistent attacks over a two-month period. SentinelLabs leverages the specific malware, delivery methods, and infrastructure common to ScarCruft to identify the campaigns with a high degree of confidence.
The report also revealed that ScarCruft is currently developing and testing a new set of malware, assumed for use in future assault campaigns. SentinelLabs retrieved this malware and observed its evolution. Intriguingly, ScarCruft has been experimenting with novel infection chains, using a tech threat research report as a decoy document, associated with another suspected North Korean group, Kimsuky. Since ScarCruft's choice of decoy material is typically relevant to the targeted individuals, the upcoming campaigns are expected to focus on threat researchers, cyber-policy organisations, and cybersecurity professionals — the primary consumers of such intel reports.
Looking into future ScarCruft activities allows SentinelLabs to predict who the next targets could be. By specifically targeting highly prominent experts covering North Korean issues and media organisations reporting on North Korean affairs, ScarCruft achieves its objective of obtaining strategic intel. This supports the adversary's pursuit of insights on international perspectives towards developments in North Korea and informs North Korea's decision making.
The group's modus operandi of focusing on experts who utilise technical threat intelligence reports is considered to be an attempt to gather insights into unpublished cyber threat intelligence and defensive strategies. This assists ScarCruft in identifying possible threats and improving their operation and evasion approaches.
ScarCruft's increasing interest in mimicking cybersecurity professionals and businesses, as well as focusing on specific customers and contacts, whether directly or through brand impersonation, reveals an innovative approach in its campaigns. SentinelLabs is actively studying suspected North Korean cyber threat assets — particularly their emerging experimentation patterns, to keep the potential targets informed and prepared.
The report underscores ScarCruft's dedication to gather strategic intelligence via targeted cyber attacks. In addition to revealing their efforts to innovate their toolset and broaden targets, the research suspects that ScarCruft is interested in non-public cyber threat intelligence and defence strategies. SentinelLabs believes this knowledge could not only benefit ScarCruft but also provide strategic advantages to other constituent groups within the North Korean threat landscape.
Creating awareness and improving understanding of the attacker's methods among potential targets is critical for an effective defence strategy. SentinelLabs remains committed to monitoring ScarCruft activities and providing support to those at risk of being attacked.