.png)
1 month ago
13
Source: Marian Weyo via Shutterstock
The North Korea-linked Kimsuky cyberthreat group has started using ChatGPT and other AI services to create images for fake identities — both to make social engineering attacks more convincing and as a way to obfuscate code execution.
In the latest attack, the group used deepfakes of South Korean military identification documents to attempt to convince targets — including journalists, researchers, and human-rights activists — to click on a link, according to an analysis published Sept. 15 by Genians, a South Korean cybersecurity firm. The attack targeted a defense-related institution and requested the targeted individuals review a draft of the identity documents.
The technique is all about making the recipient perceive the email content as personally or professionally relevant, a Genians spokesperson said in response to questions from Dark Reading.
"This is less about simple visual deception and more about enhancing social-engineering effectiveness," the spokesperson said. "Using an image that aligns with the recipient's actual work context significantly increases the chance of engagement."
The social engineering attack is just the latest to use generative AI to create synthetic identities. The North Korean groups PurpleDelta and PurpleBravo — Recorded Future's monickers for groups involved in the North Korean IT worker operation — have both used AI for generating code, modifying documents, correcting their English, and translating text from another language to Korean, says Mitch Haszard, principal threat intelligence analyst at Recorded Future.
Related:Innovative FileFix Phishing Attack Proves Plenty Potent
The fake South Korean military ID with metadata showing that it is AI-generated. Source: Genians
"On the AI front, we've observed PurpleDelta ... use a myriad of AI tools to assist them in their fraudulent work efforts, as well as PurpleBravo's use of AI-generated images of recruiters when targeting software developers in the cryptocurrency industry with fictitious job offers," he says.
Both OpenAI and Anthropic have published reports on how hacking groups have been using their large language models (LLMs) and generative AI systems to help in their offensive operations. In its late August report, for example, Anthropic discovered one threat actor that created a synthetic identity service that heavily utilized its Claude Code LLM for specific capabilities, such as rotating between different card-validation services and throttling requests to avoid detection.
Multiplying Identities
Creating fake identity documents has become an increasingly common way to add credibility to phishing attempts and social-engineering attacks. North Korean groups have frequently created fake identities documents for operatives posing as IT workers as part of the massive operation to embed North Korean technical experts inside Western companies.
Related:Cyberattack on Kazakhstan's Largest Oil Company Was 'Simulation'
The military IDs are both a way to lend credibility to the phishing lure and a document tailored to the target, says John Fokker, head of threat Intelligence at Trellix, a threat detection and response firm. "The military ID does give off a level of authority, even though a different lure could have been used to accomplish the attack," he says.
Such identities take an hour to create and can help fool even cybersecurity firms and software firms. Augmenting phishing lures with real-looking photo IDs has become much more popular among social-engineering-focused groups, says Stephen Hilt, senior threat researcher at Trend Micro, a cybersecurity software firm.
"While we have not seen this exact 'deepfake military ID' lure, it matches the kind of evolving deception these groups employ, and we have documented their use of AI to strengthen their personas for attacks," he says. "A fake ID gives authority to the request, provides a plausible reason to open the file, and serves as a decoy while the malicious loader executes."
Related:Iran MOIS Phishes 50+ Embassies, Ministries, Int'l Orgs
In the latest attack, the scheme relies heavily on social engineering. The victim must first click on the link in the phishing email, which would download and open a zip file, and then must open the LNK file in the archive to compromise their system. Other documents included in the attack were a report on economic issues in North Korea and a government investigations report on last year's crisis in South Korea over the Yoon Suk-yeol administration's declaration of martial law.
"These attacks were characterized by themes designed to attract and deceive targets, focusing on sensitive topics related to North Korea research, national defense, and political or social issues," Genians stated in its report.
The threat researchers connected Kimsuky to the attacks through correlating specific threat indicators, including IP addresses and specific malware, and finding interconnections to the North Korean nation-state group.
