Konni, a North Korean cyber espionage gang, has been connected to a series of targeted attacks against the Russian Federation’s Ministry of Foreign Affairs (MID) using New Year lures to infiltrate Windows PCs with malware.
“This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks,” analysts from Lumen Technologies’ Black Lotus Labs stated in an analysis.
Threat actors from the broader Kimsuky umbrella, ITG16, Black Banshee, and Thallium, overlap with the Konni group’s tactics, techniques, and procedures (TTPs). The most recent attacks involve the actor acquiring access to target networks using stolen credentials and then leveraging the foothold to load malware for intelligence gathering objectives, with early traces of the activity being documented by Malwarebytes as early as July 2021.
Following that, the phishing campaign is thought to have functioned in three waves. The first began on October 19, 2021 to collect credentials from MID employees. The second in November was to deploy a rogue version of the Russian-mandated vaccination registration program that served as a loader for additional payloads.
“The timing of this activity closely aligned with the passage of Russian Vaccine Passport laws that mandated Russians had to receive a QR code from the government to prove vaccination in order to access public places such as restaurants and bars,” the researchers stated.
The third attack, which Cluster25 confirmed earlier this week, started on December 20, 2021, and used New Year’s Eve celebrations as a spear-phishing theme to launch a multi-stage infection chain that concluded in the installation of the Konni RAT remote access trojan. The incursions began with compromising a MID staff member’s email account. Emails were forwarded to at least two other MID institutions, including the Russian Embassy in Indonesia and Sergey Alexeyevich Ryabkov, a deputy minister in charge of non-proliferation and weapons control.
The emails appeared to be sending out a “Happy New Year’s” greeting. Still, they contained a trojanized screensaver attachment meant to download and launch next-stage executables from a remote server. Implementing the Konni RAT malware, which conducts reconnaissance of the compromised system and exfiltrates the acquired data back to the server, is the last stage of the attack.
While this effort was highly targeted, defenders must grasp sophisticated actors’ changing ability to infect prized targets. The researcher also advised enterprises to be cautious of phishing emails and adopt multi-factor authentication to safeguard accounts.