ARCHIPELAGO gang hits South Korean and American think tanks

By
April 13, 2023
ARCHIPELAGO Threat Gang South Korea US Think Tanks Policy Institutes South Korea Hackers Phishing Social Engineering

ARCHIPELAGO, an alleged North Korean state-sponsored malicious gang, targets think tanks and subject experts in the United States and South Korea. Based on reports, academic institutions, government agencies, and military personnel are the primary targets of this malicious entity.

The group has deployed numerous attacks against accounts owned by individuals specialising in South Korean policies such as human rights, non-proliferation issues, and human rights.

 

The ARCHIPELAGO gang starts its attack by establishing communication with its target.

 

According to investigations, the ARCHIPELAGO gang starts their cybercriminal operation by establishing rapport with its targets through consistent emails for several days. After earning the trust of its prey, it will send a malicious email that contains a compromised file or link.

The messages are for media outlets and think tanks and lure targets into joining in media interviews or providing additional information about the Democratic People’s Republic of Korea.

Subsequently, the link or phishing page within the email redirects recipients to fake login pages when accessed. The actors developed these pages to steal credentials via keystrokes. The page then sends the collected information to an attacker-controlled link.

In one incident, the ARCHIPELAGO actors delivered a phishing email containing a OneDrive link to a password-protected archive containing malware. In addition, the group used the BitB strategy to display fake login pages within a legitimate window to harvest credentials.

ARCHIPELAGO has recently used essential cloud storage services like OneDrive and Google Drove to host infected PDFs with phishing links inside to by [ass security detection protocols.

Additionally, the group distributes password-protected malware payloads through a phishing email or Drive via ISO files and shares the password with recipients. Furthermore, the North Korean-backed group used Drive file names for the command-and-control server and placed encoded prompts in file names.

As of now, cybersecurity experts warn organisations about the threats carried by the ARCHIPELAGO gang’s TTPs and their constant development. The group has prioritised executing traditional credential phishing attacks and tried new techniques.

Users should upgrade their security software solutions before communicating with legitimate-looking malicious emails.

About the author

Leave a Reply