Google's Threat Analysis Group (TAG) has released a report detailing its efforts to combat a North Korean threat actor called APT43, its goals and techniques, as well as its efforts to crack down on this hacking collective.
In the report, TAG refers to APT43 as ARCHIPEL. The group has been active since 2012, targeting people with experience on North Korean political issues, such as sanctions, human rights and non-proliferation issues, he said.
These people can be military and government personnel, members of various think tanks, policy makers, academics, and researchers. Most of the time they are of South Korean nationality, but this is not exclusive.
inform victims
ARCHIPELAGO would target the Google and third-party accounts of these people. It deploys different tactics, all with the goal of stealing user credentials and installing data stealers, backdoors, or other malware on targeted devices.
They were mostly trying to phish. Sometimes the email back and forth can last for days as the threat author is posing as (opens in a new tab) a familiar person or organization and building enough trust to be able to successfully spread malware through of email attachments.
Google said it combats this by adding newly discovered malicious websites and domains to Safe Browsing, sending alerts to people letting them know they're under attack, and prompting them to sign up for Google's advanced protection program.
Hackers would also try to host benign PDF files with links to malware on Google Drive, thinking that this way they could evade detection by antivirus programs. They would also encode malicious payloads into the names of files hosted on Drive, while the files themselves would be empty.
"Google has taken steps to discontinue ARCHIPELAGO's use of Drive filenames to encode malware payloads and commands. The group has since stopped using this technique in Drive," Google said.
Finally, they created malicious Chrome extensions that allowed them to steal browser login credentials and cookies. This prompted Google to improve security in the Chrome extensions ecosystem, forcing threat actors to first compromise the endpoint and then override Chrome preferences and the safe preference for running malware.