Google Reveals More Details of North Korean APT43 Activity


Google’s Threat Analysis Group, the team that tracks and works to disrupt the activities of APT groups and other high-level threat actors, is detailing some of the tactics and techniques a North Korean group uses, including its penchant for impersonating journalists and conducting long-term correspondence with its targets before ever running any malicious operations against them.

The group has been active for more than a decade and researchers from Mandiant, a part of Google Cloud, last week named the team APT43 and said in a new report that the group finances much of its cyber espionage operations through cybercrime activities, specifically stealing and laundering cryptocurrency. Cryptocurrency theft is a favored financing option for other North Korean threat actors, including the brazen Lazarus Group, which has been named as the group responsible for last week’s supply chain attack on 3CX. Like the Lazarus Group, APT43 generally works in alignment with the interests of the North Korean government, specifically the Reconnaissance General Bureau, the country’s foreign intelligence agency.

Google TAG refers to the subset of APT43 activity that it tracks as Archipelago, and said in a new report Wednesday that the group typically spends significant time and resources to set up a relationship with potential targets, and then often will use one or another phishing tactic as the initial attack vector. The group often targets policy experts, government employees, and employees at think tanks, and will use highly tailored lures in its phishing emails.

“ARCHIPELAGO invests time and effort to build a rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file. In one case, the group posed as a journalist for a South Korean news agency and sent benign emails with an interview request to North Korea experts. When recipients replied expressing interest in an interview, ARCHIPELAGO continued the correspondence over several emails before finally sending a OneDrive link to a password-protected file that contained malware,” TAG researchers said in their new analysis of the group’s activities.

“ARCHIPELAGO has also sent links that lead to “browser-in-the-browser” phishing pages. The phishing pages present users with a fake browser window rendered inside the actual browser window. The fake browser window displays a URL and a login prompt designed to trick users into thinking they are entering their password into a legitimate login page.”

Like some other financially motivated groups, Archipelago sometimes will deliver malicious ISO files to victims.

“In one case TAG recently examined, ARCHIPELAGO sent a phishing email with a Drive link to an ISO file, Interview_with_Voice_of_America.iso. The ISO file contained a ZIP, which, in turn, contained a password-protected document. When decrypted, the document installed VBS-based malware related to BabyShark,” the researchers said.

This group also is known to deploy malicious Chrome browser extensions, including one called SHARPEXT that is capable of stealing information from victims’ email inboxes. The TAG researchers said that the Archipelago group has shifted its tactics in recent years from traditional; phishing and credential theft to more deployment of malware, including one piece of malware that’s related to Babyshark. The Babyshark tool has been used by other North Korean attack groups in the past.

In its report last week, Mandiant said that APT43 is deeply entrenched in the cryptocurrency criminal ecosystem.

“APT43 buys hash rental and cloud mining services to provide hash power, which is used to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments—in other words, they use stolen crypto to mine for clean crypto,” Mandiant researchers said.