A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S.
Google’s Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43.
The tech giant said it began monitoring the hacking crew in 2012, adding it has “observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues.”
The priorities of APT43, and by extension ARCHIPELAGO, are said to align with North Korea’s Reconnaissance General Bureau (RGB), the primary foreign intelligence service, suggesting overlaps with a group broadly known as Kimsuky.
“ARCHIPELAGO represents a subset of activity that is commonly known as Kimsuky,” Google TAG told The Hacker News. “Over the last 11 years we’ve seen the group evolve their tactics from fairly basic credential phishing to advanced and novel techniques like custom Chrome extensions and use of Google Drive for [command-and-control].”
Attack chains mounted by ARCHIPELAGO involve the use of phishing emails containing malicious links that, when clicked by the recipients, redirect to fake login pages that are designed to harvest credentials.
These messages purport to be from media outlets and think tanks and seek to entice targets under the pretext of requesting for interviews or additional information about North Korea.
“ARCHIPELAGO invests time and effort to build a rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file,” TAG said.
The threat actor is also known to employ the browser-in-the-browser (BitB) technique to render rogue login pages inside an actual window to steal credentials.
What’s more, the phishing messages have posed as Google account security alerts to activate the infection, with the adversarial collective hosting malware payloads like BabyShark on Google Drive in the form of blank files or ISO optical disc images.
Learn to Secure the Identity Perimeter – Proven Strategies
Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!
Another notable technique adopted by ARCHIPELAGO is the use of fraudulent Google Chrome extensions to harvest sensitive data, as evidenced in prior campaigns dubbed Stolen Pencil and SharpTongue.
The development comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware.