North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US
Contents
CYBER
THREAT
ANALYSIS
NORTH KOREA
By Insikt Group®
June 6, 2023
North Korea-Aligned TAG-71
Spoofs Financial Institutions
in Asia and US
CYBER THREAT ANALYSIS | NORTH KOREA
Executive Summary
Insikt Group has discovered malicious cyber threat activity spoofing several financial institutions and
venture capital firms in Japan, Vietnam, and the United States. We currently refer to the group behind
this activity as Threat Activity Group 71 (TAG-71). TAG-71 closely overlaps with public reporting on
North Korean state-sponsored APT38 (also commonly known as Bluenoroff, Stardust Chollima, and
BeagleBoyz) activity. We discovered 74 domains resolving to 5 IP addresses, as well as 6 malicious files,
in the most recent cluster of activity from September 2022 to March 2023.
Previous Insikt Group reporting on overlapping activity attributed to TAG-71 highlighted the group’s
spoofing of domains belonging to financial firms in Japan, Taiwan, and the United States, as well as
popular cloud services used by a large number of enterprises. In March 2022, Insikt Group detected
some 18 malicious servers tied to TAG-71 …
THREAT
ANALYSIS
NORTH KOREA
By Insikt Group®
June 6, 2023
North Korea-Aligned TAG-71
Spoofs Financial Institutions
in Asia and US
CYBER THREAT ANALYSIS | NORTH KOREA
Executive Summary
Insikt Group has discovered malicious cyber threat activity spoofing several financial institutions and
venture capital firms in Japan, Vietnam, and the United States. We currently refer to the group behind
this activity as Threat Activity Group 71 (TAG-71). TAG-71 closely overlaps with public reporting on
North Korean state-sponsored APT38 (also commonly known as Bluenoroff, Stardust Chollima, and
BeagleBoyz) activity. We discovered 74 domains resolving to 5 IP addresses, as well as 6 malicious files,
in the most recent cluster of activity from September 2022 to March 2023.
Previous Insikt Group reporting on overlapping activity attributed to TAG-71 highlighted the group’s
spoofing of domains belonging to financial firms in Japan, Taiwan, and the United States, as well as
popular cloud services used by a large number of enterprises. In March 2022, Insikt Group detected
some 18 malicious servers tied to TAG-71 …
IoC
06863bcb40655c737b5eb0162beee6b5bc06f324f8dbd3b3b11cacee066305fd
104.168.143.222
104.168.149.145
104.255.172.56
155.138.159.45
172.93.181.221
26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423
3ee65304c66b151b329bd62cff6f376870006309550a8b588b7627f224f357c3
50320e2cff68bdcfa114879334804e3300433908c18a662ed2c37705d2852bac
607e7ac326994f0f85d85305c3b810789472b0d86411b628bbf65456588f110e
6d4b5f3ef86997bf333b3db8528661871e2baa7474775a8394d91a2af57ae31a
788c722f056f25b96a5876b683c1064e1b54feb91c84d75e5f74f3296d05dc0f
7a78609dedb0dc8b9c22c67116873675883a6f18d5904a9a81e2935083c3d1fb
bdeb94b7aa7a0809bf019c37b3b436bc6143f3c00144f17d411e047b39368477
be04d1b357ec88ffb87a7d22ae79c998f35c40a7ae4ef3fdae8b5c71ba6af57c
d1223db1e8dd0aa13b9bff498f47e103fc6d02e602ff168dc53c91faf9778a6c
http://104.168.143.222
http://104.168.149.145
http://104.255.172.56
http://155.138.159.45
http://172.93.181.221
http://_._domainkey.onlineshares.cloud
http://_._domainkey.service.onlineshares.cloud
http://_.service.onlineshares.cloud
http://_dmarc.onlineshares.cloud
http://_domainkey.onlineshares.cloud
http://_domainkey.service.onlineshares.cloud
http://additional.work.gd
http://autoprotect.com.de
http://autoprotect.com.se
http://autoprotect.gb.net
http://azure.doc-protect.cloud
http://azure.doc-view.cloud
http://book.tomming.us
http://cloud.anobaka.info
http://cloud.azurehosting.co
http://cloud.bdcc.bio
http://cloud.daiwa.ventures
http://cloud.dnx.ca
http://cloud.dnx.capital
http://cloud.espcapital.pro
http://cloud.gpmtreit.co
http://cloud.hedgehogvc.us
http://cloud.j-ic.co
http://cloud.j-ic.com
http://cloud.mekongcapital.net
http://cloud.nbright.best
http://cloudprotect.us.org
http://deck.altairvc.com
http://dmarc.onlineshares.cloud
http://doc.gdocshare.one
http://doc.secure-view.cloud
http://doc.secure-view.top
http://docs.azurehosting.co
http://documentuser.us.org
http://down.altairvc.info
http://down.espcapital.co
http://down.gpmtreit.co
http://down.gpmtreit.us
http://down.hedgehogvc.us
http://down.j-ic.co
http://down.j-ic.com
http://down.tomming.us
http://emv1.onlineshares.cloud
http://er.us.org/KGfITm
http://fs.digiboxes.us
http://internal.j-ic.co
http://ms.msteam.biz
http://ms.onlineshares.cloud
http://mufg.us.com
http://mufg.yokohama
http://nbright.best
http://ns1.trytiponlineresult.com
http://ns2.trytiponlineresult.com
http://one.microshare.cloud
http://open.onlinecloud.cloud
http://pcapital.pro/TzY
http://safe.doc-share.cloud
http://safe.doc-share.online
http://safe.doc-share.pro
http://safe.doc-share.top
http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate
http://schemas.openxmlformats.org/package/2006/relationships
http://securenetwork.world
http://service.onlineshares.cloud
http://share.1drvmicrosoft.com
http://share.anobaka
http://share.anobaka.info
http://shippingspro.com
http://site.siteshare.me
http://team.msteam.biz
http://tet.dnx.capital
http://trytiponlineresult.com
http://urehosting.co/0
http://urehosting.co/B
http://verifydocument.com.se
http://web.gpmtreit.us
http://web.j-ic.co
http://www.docuprivacy.com
http://www.onlinecloud.cloud
http://www.onlineshares.cloud
http://www.privacysign.org
https://cloud.es
https://docs.az
https://documentuser.us.org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ
https://documentuser.us.org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w%3D%3D
https://safe.doc-share
104.168.143.222
104.168.149.145
104.255.172.56
155.138.159.45
172.93.181.221
26e376fc80b090b2ee04e7d3104d308a150e58538580109a74f4ac49bf362423
3ee65304c66b151b329bd62cff6f376870006309550a8b588b7627f224f357c3
50320e2cff68bdcfa114879334804e3300433908c18a662ed2c37705d2852bac
607e7ac326994f0f85d85305c3b810789472b0d86411b628bbf65456588f110e
6d4b5f3ef86997bf333b3db8528661871e2baa7474775a8394d91a2af57ae31a
788c722f056f25b96a5876b683c1064e1b54feb91c84d75e5f74f3296d05dc0f
7a78609dedb0dc8b9c22c67116873675883a6f18d5904a9a81e2935083c3d1fb
bdeb94b7aa7a0809bf019c37b3b436bc6143f3c00144f17d411e047b39368477
be04d1b357ec88ffb87a7d22ae79c998f35c40a7ae4ef3fdae8b5c71ba6af57c
d1223db1e8dd0aa13b9bff498f47e103fc6d02e602ff168dc53c91faf9778a6c
http://104.168.143.222
http://104.168.149.145
http://104.255.172.56
http://155.138.159.45
http://172.93.181.221
http://_._domainkey.onlineshares.cloud
http://_._domainkey.service.onlineshares.cloud
http://_.service.onlineshares.cloud
http://_dmarc.onlineshares.cloud
http://_domainkey.onlineshares.cloud
http://_domainkey.service.onlineshares.cloud
http://additional.work.gd
http://autoprotect.com.de
http://autoprotect.com.se
http://autoprotect.gb.net
http://azure.doc-protect.cloud
http://azure.doc-view.cloud
http://book.tomming.us
http://cloud.anobaka.info
http://cloud.azurehosting.co
http://cloud.bdcc.bio
http://cloud.daiwa.ventures
http://cloud.dnx.ca
http://cloud.dnx.capital
http://cloud.espcapital.pro
http://cloud.gpmtreit.co
http://cloud.hedgehogvc.us
http://cloud.j-ic.co
http://cloud.j-ic.com
http://cloud.mekongcapital.net
http://cloud.nbright.best
http://cloudprotect.us.org
http://deck.altairvc.com
http://dmarc.onlineshares.cloud
http://doc.gdocshare.one
http://doc.secure-view.cloud
http://doc.secure-view.top
http://docs.azurehosting.co
http://documentuser.us.org
http://down.altairvc.info
http://down.espcapital.co
http://down.gpmtreit.co
http://down.gpmtreit.us
http://down.hedgehogvc.us
http://down.j-ic.co
http://down.j-ic.com
http://down.tomming.us
http://emv1.onlineshares.cloud
http://er.us.org/KGfITm
http://fs.digiboxes.us
http://internal.j-ic.co
http://ms.msteam.biz
http://ms.onlineshares.cloud
http://mufg.us.com
http://mufg.yokohama
http://nbright.best
http://ns1.trytiponlineresult.com
http://ns2.trytiponlineresult.com
http://one.microshare.cloud
http://open.onlinecloud.cloud
http://pcapital.pro/TzY
http://safe.doc-share.cloud
http://safe.doc-share.online
http://safe.doc-share.pro
http://safe.doc-share.top
http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate
http://schemas.openxmlformats.org/package/2006/relationships
http://securenetwork.world
http://service.onlineshares.cloud
http://share.1drvmicrosoft.com
http://share.anobaka
http://share.anobaka.info
http://shippingspro.com
http://site.siteshare.me
http://team.msteam.biz
http://tet.dnx.capital
http://trytiponlineresult.com
http://urehosting.co/0
http://urehosting.co/B
http://verifydocument.com.se
http://web.gpmtreit.us
http://web.j-ic.co
http://www.docuprivacy.com
http://www.onlinecloud.cloud
http://www.onlineshares.cloud
http://www.privacysign.org
https://cloud.es
https://docs.az
https://documentuser.us.org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ
https://documentuser.us.org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w%3D%3D
https://safe.doc-share