A group of hackers supported by the North Korean government has been associated with offensive cyber activities aimed at South Korea and the United States, particularly focusing on individuals in various sectors such as government, military, think tanks, policy makers, academics, and researchers.
Google's TAG department is monitoring a particular group known as ARCHIPELAGO, which they identify as a subdivision of a larger threat group called APT43, that is being monitored by Mandiant.
The large technology company reported that it started keeping watch on the group of hackers during 2012. They also noted that this particular group has been focusing on individuals who are knowledgeable in North Korea's policy matters, such as non-proliferation concerns, human rights, and sanctions.
The interests of APT43, which is also linked to ARCHIPELAGO, are believed to be in line with those of North Korea's Reconnaissance General Bureau (RGB), its main foreign intelligence agency. This implies that there may be some intersection between APT43 and the more widely recognized Kimsuky group.
ARCHIPELAGO executes attacks through phishing emails that contain harmful links. Once clicked by the victims, these links direct them to counterfeit login pages aimed at collecting their login and password credentials.
These communications claim to come from news organizations and research organizations, and aim to lure individuals by pretending to ask for interviews or more details about North Korea.
TAG mentioned that ARCHIPELAGO puts in considerable time and hard work to establish a connection with their targets, frequently communicating through email for a few days or even weeks, prior to ultimately transmitting a harmful link or file.
The individual causing harm is recognized for utilizing the browser-in-the-browser (BitB) method to create fake login pages within a legitimate window in order to acquire login details dishonestly.
Additionally, the fraudulent messages attempting to acquire sensitive information have pretended to be security alerts for Google accounts. These messages aim to trigger the spread of malware created by the opposing group, which is hosted collectively and contains payloads such as BabyShark that are stored on Google Drive in the guise of empty files or ISO optical disc images.
ARCHIPELAGO has also implemented a significant method which involves the utilization of deceitful Google Chrome add-ons for the collection of delicate information, as apparent in previous operations known as Stolen Pencil and SharpTongue.
The progress has been made known by AhnLab Security Emergency Response Center (ASEC) as they highlighted Kimsuky's utilization of an Alternate Data Stream (ADS) and altered Microsoft Word documents as a means of distributing malware designed to steal information.