How we’re protecting users from government-backed attacks from North Korea

As part of Threat Analysis Group’s (TAG)’s mission to counter serious threats to Google and our users, TAG has been tracking government-backed hacking activity tied to North Korea for over a decade. Today, as a follow up to Mandiant’s report on APT43, we are sharing TAG’s observations on this actor and what Google is doing to protect users from this group and other government-backed attackers. Because TAG’s visibility into this actor is distinct from Mandiant’s, TAG uses the name ARCHIPELAGO to track a subset of APT43 activity.

TAG began tracking ARCHIPELAGO in 2012 and has observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights and non-proliferation issues. These targets include Google and non-Google accounts belonging to government and military personnel, think tanks, policy makers, academics, and researchers in South Korea, the US and elsewhere.

To safeguard users at-risk, TAG uses our research on serious threat actors like ARCHIPELAGO to improve the safety and security of Google’s products. TAG adds newly discovered malicious websites and domains to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage potential targets to enroll in Google’s Advanced Protection Program, enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.