Google Warns of North Korean 'Archipelago' CyberattacksHackers Send Emails for Days, Weeks to Build Rapport Before Sending Malicious Link
North Korean hackers who use social engineering tactics for espionage have learned that less is more when it comes to coaxing victims into clicking a malicious link.
It might take days or weeks of exchanging rapport-building emails before the Pyongyang hacking group Google tracks as Archipelago sends a malicious link. It might even send a PDF without malware embedded into it, counting on a reservoir of trust leading the recipient to - finally - click on a malicious link displayed in the document.
Google's Threat Analysis Group says it is disclosing details on Archipelago after sister threat intelligence unit Mandiant in late March reported on the hacking group's tactics (see: North Korean Threat Groups Steal Crypto to Pay for Hacking).
Mandiant tracks the espionage-focused group as APT43; Google says Archipelago is a subset of APT43 and activities from both groups overlap with actions attributed to North Korean groups Kimsuky or Thallium. Google TAG and Mandiant agree that the Kim Jong Un regime tasked these hackers with penetrating the online accounts of experts in peninsular affairs.
"They're the guys Kim Jong Un goes to after launching a missile to ask: 'What did the world think of that?’" a Mandiant analyst earlier told Information Security Media Group. South Korean and German security agencies in March warned regional specialists to be vigilant against clever North Korean phishing attempts since "an attack is underway."
In an incident observed by Google researchers, a threat actor posing as a journalist for a South Korean news agency sent benign emails with interview requests to North Korean experts. When recipients replied expressing interest, the hackers didn't immediately respond with a malicious link. It wasn't until several emails later that Archipelago sent a link to a Microsoft OneDrive folder containing a password-protected file hosting malware.
Archipelago also uses "browser in the browser" phishing pages, which trick users into opening a fake browser window inside the actual browser window.
Recently, the group has incorporated malware more directly into its operations, using techniques to evade detection. One example involved sending a phishing email with a link to an ISO file hosted by Google Drive. The file, titled
Interview_with_Voice_of_America.iso, contained a zip file that when decompressed revealed a password-protected document. When that document was decrypted, it installed and ran a VBS script related to the North Korean-linked BabyShark malware family.
Hiding the malware behind passwords shields the malicious files from antivirus scanning.
North Korean hackers are well known for using malicious Chrome extensions. Most recently, they've used an extension known as Sharpext. The warning from South Korean and German security agencies says that phishing emails encourage victims to download the extension, which steals content from email providers, including Gmail.