APT43’s Archipelago.
N2K logoApr 6, 2023

Mandiant and Google’s Threat Analysis Group name APT43 as DPRK cyber espionage group. 

APT43’s Archipelago.

Mandiant and Google’s Threat Analysis group have named APT43 and its sub-activity ARCHIPELAGO as a cyber espionage group with ties to the Democratic People's Republic of Korea government. Its cybercrime ventures range from phishing email campaigns against targets with expertise in DPRK policy to cryptocurrency theft and laundering. Additionally, ARCHIPELAGO seems to be adapting to use novel malware to avoid detection from Google AV services. Unlike other DPRK cyber threat actors, who send stolen cryptocurrency to the DPRK government, APT43 (and ARCHIPELAGO by extension) seems to reap its own rewards, funding its own activities with the money it steals. 

A formerly unnamed cybercrime group, APT43, was named and described APT43 by Mandiant in a report last week. It was also shown to have ties to the Democratic People’s Republic of Korea. Mandiant explains that after five years of tracking the activities of APT43 they can attribute the group to the Democratic People’s Republic of Korea because their “collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service.” Mandiant also highlights how APT43 acquires and launders stolen cryptocurrency to fund its own espionage operations. This differs from other DPRK cyber threat actors who seem to funnel cryptocurrency to fund the DPRK government as a whole.

ARCHIPELAGO is phishing for government worker credentials.

Google released a follow-up report on 5 April which focused on a subset of APT43’s activities which Google calls “ARCHIPELAGO.” Google notes that it “observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights and non-proliferation issues.” Google goes on to expose how ARCHIPELAGO conducts its phishing and various malware operations explaining “ ARCHIPELAGO invests time and effort to build rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file.”  

Google writes “ARCHIPELAGO often sends phishing emails where they pose as a representative of a media outlet or think tank and ask North Korea experts to participate in a media interview or request for information (RFI).” At first glance the emails seem legitimate, however at a closer glance we can see something phishy is going on. In a fake Google security settings email, shown in Google’s report the following sentence pops out “Please recovery your account by clicking the button below.” (Experts advise users to always diligently read through emails asking for account verification, and be on the look-out for suspicious things like spelling errors and odd sentence structure.) 

Adapting to Google’s anti malware services.

Google further notes “For several years, ARCHIPELAGO focused on conducting traditional credential phishing campaigns. More recently, TAG has observed ARCHIPELAGO incorporate malware into more of their operations,...To protect their malware from AV scanning, ARCHIPELAGO commonly password-protects their malware and shares the password with recipients in a phishing email.”