DENVER, Jan. 6, 2022 /PRNewswire/ — Researchers at Black Lotus Labs®, the threat intelligence team at Lumen Technologies, discovered new evidence of a months-long campaign against the Russian Ministry of Foreign Affairs (MID). The highly targeted campaign included the deployment of the Konni RAT – a malicious Remote Access Trojan that researchers and governments believe is a tool used by the Democratic People’s Republic of Korea (DPRK) since 2014.
“This activity cluster demonstrates the patient and persistent nature of advanced actors who wage multi-phased campaigns against perceived high-value networks,” said Mark Dehus, director of threat intelligence at Black Lotus Labs. “If actors attempt to infiltrate the Russian Ministry of Foreign Affairs, what’s to stop them from attempting to use these same tactics on other governments or high-profile businesses? For this reason, it is vital for defenders to understand advanced actors’ evolving capabilities and tradecraft used to infect coveted targets.”
Read the full blog here.
Timeline of Observed Events
The series of persistent actions against Russia’s MID occurred from October to December 2021 as follows:
- In October, the actors set up spoofed hostnames to harvest credentials of an active MID account.
- In November, the attackers used social engineering to lure recipients into downloading malware disguised as software the Russian government uses to collect Covid vaccination statuses.
- In December, the attackers used the previously acquired credentials to spear-phish high-value targets with a Happy New Year-themed message. If invoked, a loader nearly identical to the one observed in November would deploy a sophisticated infection chain resulting the Konni RAT, as previously reported by Cluster25.
Why This Attack is Significant
- One of the high-profile targets included Sergey Alexeyevich Ryabko, deputy foreign minister for the Russian Federation, among other Russian government officials….