North Korean hackers

How Google TAG’s Powerful Defense Is Stopping North Korean Hackers

North Korean Hackers have been targeting Policy Experts recently, Says Google’s Threat Analysis Group.

These attackers have been a cause of concern for over a decade now. As a defense, Google’s Threat Analysis Group (TAG) is here with its powerful mechanism to fight back.

Here we’ll discuss the targets of these government-backed hacking activities, their sophisticated tactics, and how Google is protecting users from these hackers.

Target of North Korean Hackers

Google’s TAG uses the label ARCHIPELAGO to monitor these threat actors.

ARCHIPELAGO is found to be targeting people who know a lot about North Korea’s policies, including sanctions, human rights, and non-proliferation issues.

Their targets are not only Google accounts but also accounts belonging to government and military personnel, think tanks, policymakers, academics, and researchers from various places like South Korea, and the US.

Their Tactics and Google’s Defense

The first thing to notice about these hackers is that they initially gain the trust of their targets. This is done by continually exchanging emails with the target before finally sending a malicious link or file.

Phishing Emails

For instance, ARCHIPELAGO uses phishing emails that appear to be from media outlets asking North Korean experts to participate in a media interview or a request for information (RFI).

The email tricks the recipient into clicking a link to view interview questions. The link certainly takes them to a fake login page. After accessing their credentials, they are shown a simple interview questions document that matches an original email.

Anything looks doubtful? Nope.

Browser-in-the-Browser Phishing Page

ARCHIPELAGO also sends links that lead to “browser-in-the-browser” phishing pages. The fake browser window displays a URL and a login prompt. This genuine look tricks the user into thinking they are entering their password into an authentic login page.

Result? Credentials hacked!

North Korean hackers, browser-in-the-browser phishing page
Browser-in-the-browser phishing page

Malware Operations

In recent times, TAG has noticed that ARCHIPELAGO has started including malware in a greater number of their activities.

Additionally, to prevent their malware from being detected by antivirus software, ARCHIPELAGO frequently secures its malware with a password and then shares that password with individuals via a phishing email.

password protected malware

Use of Google Drive

Surprisingly enough, ARCHIPELAGO recently encoded malicious payloads in the filenames of files hosted on Google Drive.

Google immediately took action to stop Archipelago’s use of Drive file names. As a result, the group has ceased using this method on Drive.

Fake Chrome Extensions

Recently, hackers have tried a new tactic to install a harmful Chrome extension called SHARPEXT. If it gets into someone’s computer, it can steal emails from their Gmail or AOL Mail accounts and send them to the attackers.

As a response, Google made changes to the Chrome extension system to prevent threat actors from distributing malicious extensions through the Chrome Web Store.

Google’s Defense

To protect individuals who may be targeted by threat actors like ARCHIPELAGO, TAG, and other security teams at Google, they work together to make their products safer.

To achieve this goal, the following actions are taken:

  • Adding new malicious websites and domains to Safe Browsing to prevent further exploitation
  • Sending alerts directly to Gmail and Workspace users who are targeted by government-backed attackers.
  • recommending that potential targets enroll in Google’s Advanced Protection Program, enable safe browsing in Chrome, and ensure that their devices are updated to stay protected.

To sum it up, Stay vigilant and take necessary steps to protect yourself online, such as enabling Safe Browsing, keeping your devices updated, and enrolling in advanced protection programs. Remember, your online safety is a shared responsibility, and we all play a part in keeping the internet a safer place.

For more information on Cybersecurity, check out more blogs on TheCybersecurity.Club

Five Canadian Hospitals Impacted By A Ransomware Attack on Transform Provider

Credentials for cybercrime forums on roughly 120K computers infected with information stealers

Major Phishing-as-a-Service Syndicate ‘BulletProof Link’ Dismantled by Malaysian Authorities

Update on Okta’s Response to its Security Incident