Google is on a crusade against cybersecurity threats from North Korea
Google’s Threat Analysis Group (TAG) has published a report detailing its efforts to combat a North Korean threat actor called APT43, its targets, and techniques, as well as explaining the efforts it put into cracking down on this hacking collective.
In the report, TAG refers to APT43 as ARCHIPELAGO. The group has been active since 2012, targeting individuals with expertise in North Korean policy issues such as sanctions, human rights, and non-proliferation issues, it was said.
These individuals could be government and military staff, members of various think tanks, policymakers, academics, and researchers. Most of the time they’re of South Korean nationality, but it’s not exclusive.
Notifying the victims
ARCHIPELAGO would target these people’s both Google and non-Google accounts. They deploy different tactics, all with the goal of stealing user credentials and installing infostealers, backdoors, or other malware, onto target endpoints.
Most of the time, they’d try phishing. Sometimes, the email back-and-forth could go on for days, as the threat actor impersonates (opens in new tab) a familiar individual or organization and establishes enough trust to be able to successfully deliver malware via email attachments.
Google said it combats this by adding newly discovered malicious websites and domains to Safe Browsing, sending people alerts to let them know they were being targeted, and inviting them to enroll in Google’s Advanced Protection Program.
Hackers would also try and host benign PDF files with links to malware on Google Drive, thinking that that way they might be able to evade detection by antivirus programs. They would also encode malicious payloads in the filenames of files hosted on Drive, while the files themselves were blank.
“Google took action to disrupt ARCHIPELAGO’s use of Drive file names to encode malware payloads and commands. The group has since discontinued their use of this technique on Drive,” Google said.
Finally, they were building malicious Chrome extensions which allowed them to steal login credentials and browser cookies. This prompted Google to improve the security in the Chrome extension ecosystem, which resulted in threat actors now needing to first compromise the endpoint first, and overwrite Chrome Preferences and Secure Preference to get the malicious extensions to run.