Google’s Threat Analysis Group (TAG) has recently unveiled a North Korean government-backed threat actor, known as ARCHIPELAGO, which has been linked to cyberattacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. since 2012. This malicious group is a subset of another threat group tracked by Mandiant under the name APT43.
Deceptive Methods and Emerging Techniques
ARCHIPELAGO employs phishing tactics to carry out its cyberattacks. They send phishing emails containing malicious links that redirect recipients to fake login pages designed to steal credentials. These emails often impersonate media outlets and think tanks, requesting interviews or additional information about North Korea to entice their targets.
In addition to traditional phishing methods, ARCHIPELAGO uses more advanced techniques like browser-in-the-browser (BitB) to render rogue login pages within an actual window, further deceiving their victims. They have also been known to create fraudulent Google Chrome extensions to gather sensitive data in campaigns called Stolen Pencil and SharpTongue.
The exposure of these cyberattacks by Google TAG highlights the ongoing threats posed by North Korean-linked cybercriminals. For example, Kimsuky has been found to utilize Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware. As cyber threats continue to evolve and become more sophisticated, it is essential for organizations and individuals to stay vigilant and implement strong cybersecurity measures to protect their sensitive information.
Phishing Techniques Used by ARCHIPELAGO
ARCHIPELAGO’s primary hacking approach relies on well-crafted phishing emails that contain malicious links. These emails are designed to appear as if they originate from legitimate media outlets or think tanks, luring the target into opening the message. By requesting interviews or additional information about North Korea, the threat actor cleverly entices its victims to click on the harmful links.
Once the victim clicks on the malicious link, they are redirected to a fake login page that looks genuine. These pages are designed to harvest the victim’s credentials, allowing the threat actor access to sensitive information. ARCHIPELAGO takes the time to build rapport with its targets, often engaging in email correspondence for days or weeks before finally sending a link or file with malicious intent.
{{user}} {{datetime}}
{{text}}