Google threat analysis researchers detail activities of North Korean 'Archipelago' hackers

SECURITY

Google LLC’s Threat Analysis Group today released new information on a subset of the North Korean hacking group known as APT43 and what it’s doing to protect users from this group.

Detailed in a report from Google-owned Mandiant last month, APT43 was first detected in 2018 and has collection priorities that align with the mission of the Reconnaissance General Bureau, North Korea’s foreign intelligence service. APT43 steals and launders cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance.

A subset of the group, dubbed “Archipelago” by Google TAG researchers, targets individuals with expertise in North Korea policy issues such as sanctions, human rights and nonproliferation issues. The targets have included Google and non-Google accounts belonging to government and military personnel, think tanks, policymakers, academics and researchers in South Korea, the U.S. and elsewhere.

Archipelago typically sends phishing emails where members of the group pose as a representative of a media outlet or think tank and ask North Korea experts to participate in a media interview or request information. The emails prompt recipients to click a link to view the interview questions or request information.

Unsurprisingly, the links in the email are malicious, taking recipients to a phishing site that masquerades as a login prompt. The phishing page records keystrokes entered into the login form and sends the information to an attacker-controlled URL. After the recipients enter their password, the phishing page redirects to a benign document with contextually appropriate interview questions or a request for information in line with the content of the original phishing email.

The researchers found that Archipelago invests time and effort to build a rapport with targets, often emailing them over several days or weeks before finally sending a malicious link or file. In one case, the group posed as a journalist for a South Korean news agency and sent benign emails with an interview request to North Korea experts.

Original Archipelago campaigns focused on conducting traditional credential phishing campaigns, but more recently, the group has been observed incorporating malware into more of their operations, including efforts to evade detection and develop new and novel malware techniques. Archipelago password-protects their malware and shares the password with recipients in a phishing email to protect their malware from antivirus scanning.

In an interesting twist, Archipelago was also found to use Google Drive accounts as part of its activities, using Drive files for command and control. Google has taken action to prevent the use of Drive by the threat actor.

Archipelago has also been found to have used malicious Chrome extensions in combination with phishing and malware. Extension features included the ability to steal usernames, passwords and browser cookies. Google has since introduced several changes to the Chrome extension ecosystem, including enhanced transparency through the Chrome Web Store and Manifest V3, that effectively disrupt threat actors from distributing malicious extensions via the Chrome Web Store.

Image: Pixabay