Lumen Technologies Black Lotus Labs researchers reported that ,”This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks.”
A North Korean cyberespionage group known as Konni has been linked to a series of targeted attacks on the Russian Federation’s Ministry of Foreign Affairs (MID) that used New Year’s lures to compromise Windows systems with malware.
The Konni group’s tactics, techniques, and procedures (TTPs) are known to overlap with threat actors under the Kimsuky umbrella, which is also tracked by the cybersecurity community as Velvet Chollima, ITG16, Black Banshee, and Thallium.
The most recent attacks involved the actor gaining access to the target networks using stolen credentials, then exploiting the foothold to load malware for intelligence gathering purposes, with MalwareBytes documenting early signs of the activity as far back as July 2021.
Subsequent waves of the phishing campaign are thought to have occurred in three waves, with the first beginning on October 19, 2021 to harvest credentials from MID personnel, followed by using COVID-19 themed lures in November to install a rogue version of the Russian-mandated vaccination registration software that served as a loader for additional payloads.
The researchers observed that ,”The timing of this activity closely coincided with the passage of Russian Vaccine Passport laws, which mandated that Russians receive a QR code from the government to prove vaccination in order to access public places such as restaurants and bars”.
The intrusions were carried out by first compromising an email account belonging to a MID staff member, from which emails were sent to at least two other MID entities, including the Russian Embassy in Indonesia and Sergey Alexeyevich Ryabkov, a deputy minister in charge of non-proliferation and arms control.
The email messages appeared to be a “Happy New Year” message, but they actually contained a trojanized screensaver attachment designed to retrieve and run next-stage executables from a remote server. The attack concludes with the installation of the Konni RAT trojan, which conducts reconnaissance of the infected machine and exfiltrates the collected data back to the server.
Finally the researchers concluded that ,”While this particular campaign was highly targeted, it is critical for defenders to understand the evolving capabilities of advanced actors to infect coveted targets, urging organisations to be on the lookout for phishing emails and to use multi-factor authentication to secure accounts.