TLP Clear Cybersecurity Advisory: North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts

May 2, 2024


The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) are jointly issuing this advisory to highlight attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. Without properly configured DMARC policies, malicious cyber actors are able to send spoofed emails as if they came from a legitimate domain’s email exchange. The North Korean cyber actors have conducted spearphishing campaigns posing as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles. North Korea leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications. This Joint Cybersecurity Advisory (CSA) includes indicators of North Korean social engineering (page 4) for potential victims receiving spearphishing emails as well as mitigation measures (page 9) for organizations who could be victims of North Korean impersonation. For additional information on state-sponsored North Korean malicious cyber activity, see the June 2023 Kimsuky CSA, “North Korea using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media.”

View the detailed Advisory below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

(O) +1 202 626 2272