North Korean Hackers Target Russian Diplomats

Cybersecurity experts from Lumen Technologies and Cluster25 have linked the North Korean cyber-espionage group Konni to a series of targeted attacks aimed at employees of the Ministry of Foreign Affairs of the Russian Federation. The hackers sent New Year’s greetings to Russian diplomats and attempted to compromise their Windows-based computers.

According to specialists, the discovered emails were initially sent only to the Russian embassy in Indonesia, but the attack was likely much broader in scope. To make the emails appear more authentic, they were sent from spoofed @mid.ru accounts, creating the impression that the messages came from the Russian embassy in Serbia.

“In these emails, the celebration of the New Year 2022 was used as bait,” the experts wrote. “Unlike previous cases, this time the North Korean APT did not use malicious documents as attachments; instead, they attached a file named ‘greeting.zip,’ which contained an embedded executable responsible for the initial stage of infection.”

According to Cluster25, the ZIP archives contained a Windows screensaver file (.scr) that, when launched, displayed a festive greeting screensaver and also installed the Konni remote access trojan (RAT), after which the hacker group is named. This malware gives attackers full control over infected systems.

Researchers say they have been tracking Konni’s attacks on Russian diplomats since at least August 2021. This type of malicious activity was first discovered and thoroughly described by Malwarebytes last year.