Google TAG warning about ARCHIPELAGO cyber attack related to North Korea

April 05, 2023Ravie LakshmananCyber ​​Attacks / Cyber ​​Threats

North Korean government-backed threat actors have been linked to attacks targeting government and military personnel, think tanks, policy makers, academics and researchers in South Korea and the US

Google’s Threat Analysis Group (TAG) is tracking clusters by name ISLANDwhich he says is part of another threat group that Mandiant is tracking under the name APT43.

The tech giant said it began monitoring hacking crews in 2012, adding that it had “observed groups targeting individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues.”

APT43’s priorities, and by extension ARCHIPELAGO, are said to align with North Korea’s General Reconnaissance Bureau (RGB), the main foreign intelligence service, showing overlap with the group widely known as Kimsuky.

“ARCHIPELAGO represents a part of the activity commonly known as Kimsuky,” Google TAG told The Hacker News. “Over the last 11 years we’ve seen groups grow their tactics from fairly basic credential phishing to new, advanced techniques like custom Chrome extensions and use of Google Drive for (command-and-control).”

The attack chain mounted by ARCHIPELAGO involves the use of phishing emails containing malicious links which, when clicked by recipients, redirect to fake login pages designed to retrieve credentials.

These messages purport to be from media and think tanks and attempt to lure targets under the pretext of requesting interviews or additional information about North Korea.

“ARCHIPELAGO invests time and effort to build a relationship with targets, often corresponding with them via email for days or weeks before finally sending a malicious link or file,” said TAG.

Archipelago Cyber ​​Attack

Threat actors have also been known to use browser-in-the-browser (BitB) techniques to render rogue login pages inside real windows to steal credentials.

What’s more, phishing messages have posed as Google account security warnings to enable infection, with malware payloads hosting collective foes like BabyShark in Google Drive as a blank file or an ISO optical disc image.


Learn to Secure Identity Perimeters – A Proven Strategy

Improve your business security with our upcoming cybersecurity webinar led by our experts: Explore the Identity Perimeter strategy!

Don’t Miss It – Save Your Seat!

Another important technique adopted by ARCHIPELAGO is the use of fake Google Chrome extensions to harvest sensitive data, as evidenced in previous campaigns dubbed Stolen Pencil and SharpTongue.

The development comes as the AhnLab Security Emergency Response Center (ASEC) details Kimsuky’s use Alternative Data Streams (ADS) and armed Microsoft Word files to deliver info-stealing malware.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.

Source link

Related Articles

Back to top button