A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S.
The tech giant said it began monitoring the hacking crew in 2012, adding it has “observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues.”
The priorities of APT43, and by extension ARCHIPELAGO, are said to align with North Korea’s Reconnaissance General Bureau (RGB), the primary foreign intelligence service, suggesting overlaps with a group broadly known as Kimsuky.
Attack chains mounted by ARCHIPELAGO involve the use of phishing emails containing malicious links that, when clicked by the recipients, redirect to fake login pages that are designed to harvest credentials.
These messages purport to be from media outlets and think tanks and seek to entice targets under the pretext of requesting for interviews or additional information about North Korea.
“ARCHIPELAGO invests time and effort to build a rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file,” TAG said.
The threat actor is also known to employ the browser-in-the-browser (BitB) technique to render rogue login pages inside an actual window to steal credentials.
What’s more, the phishing messages have posed as Google account security alerts to activate the infection, with the adversarial collective hosting malware payloads like BabyShark on Google Drive in the form of blank files or ISO optical disc images.
Another notable technique adopted by ARCHIPELAGO is the use of fraudulent Google Chrome extensions to harvest sensitive data, as evidenced in prior campaigns dubbed Stolen Pencil and SharpTongue.