North Korean hackers, backed by the country’s government, have been linked to attacks on government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S.
The group, tracked by Google’s Threat Analysis Group under the name ARCHIPELAGO, is a subset of another group known as APT43. Google has been monitoring the hackers since 2012 and observed that they target individuals with expertise in North Korean policy issues.
ARCHIPELAGO uses phishing emails containing malicious links to redirect victims to fake login pages designed to steal their credentials.
ARCHIPELAGO invests time and effort to build a rapport with targets before sending a malicious link or file. They also use the browser-in-the-browser (BitB) technique to render rogue login pages inside an actual window to steal credentials.
The phishing messages have posed as Google account security alerts to activate the infection, and the group has hosted malware payloads on Google Drive in the form of blank files or ISO optical disc images. ARCHIPELAGO also uses fraudulent Google Chrome extensions to harvest sensitive data, as seen in prior campaigns known as Stolen Pencil and SharpTongue.
The priorities of APT43 and ARCHIPELAGO align with North Korea’s Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence service. This suggests that the group overlaps with a group widely known as Kimsuky.
AhnLab Security Emergency Response Center has detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware.
The development highlights the continued threat posed by North Korean-backed hackers and the importance of remaining vigilant against their attacks.
