The North Korea-linked threat actor known as Konni APT is intensifying its cyber operations with a new phishing campaign aimed at government entities in Ukraine. Security researchers at Proofpoint reported that this campaign marks a shift in the group’s strategic focus from Russia to Ukraine, aiming to collect intelligence on the trajectory of the ongoing Russian invasion. The campaign underscores the escalation of cyber warfare amidst ongoing geopolitical conflicts.
Historically, Konni APT, also known by various names including Opal Sleet, Osmium, and Vedalia, has targeted government entities in both Russia and South Korea for strategic intelligence purposes. As per the analysis by Proofpoint, the ongoing phishing campaign aims to gather insights into the military and political situation in Ukraine, which may help North Korean leadership assess risks to its own forces currently involved in operations.
The threat actor employs sophisticated techniques in their phishing efforts, utilizing emails that impersonate a senior fellow at a fictitious think tank. These emails contain links to password-protected RAR archives hosted on the MEGA cloud service. Upon opening the archive, victims are exposed to malware designed to conduct extensive reconnaissance on their systems, thus compromising sensitive information.[source]
In a typical attack, when the targets do not engage with the phishing link, subsequent emails are sent as reminders, increasing the chances of a successful breach. This strategy includes embedding commands in decoy content, aimed to execute malicious software that collects and transmits data back to the attackers. The sophisticated nature of these attacks reflects a shift toward more politically motivated cyber espionage.
Proofpoint has also identified instances of credential harvesting through fake Microsoft security alerts sent from ProtonMail accounts, further complicating the cybersecurity landscape for Ukrainian governmental entities, as it heightens the stakes in this ongoing cyber conflict.[source]
This shift in focus towards Ukraine is part of a broader pattern of escalating tensions and cyber activities that involve multiple North Korean hacking groups, each with its operational tactics. While carrying out these campaigns, the Konni APT seems to prioritize the collection of high-level strategic political intelligence.