
In 2012, Google's Threat Analysis Group (TAG) began monitoring a North Korean government-backed threat actor they have named ARCHIPELAGO. This is a subset of another threat group tracked by Mandiant, APT43, who are known to target government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues. These attacks usually involve the use of phishing emails containing malicious links that, when clicked by the recipients, redirect to fake login pages designed to harvest credentials. TAG has observed that ARCHIPELAGO invests time and effort to build a rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file. This behavior, along with the priorities of APT43 which align with North Korea's Reconnaissance General Bureau (RGB), suggests overlaps with a group broadly known as Kimsuky.