North Korean-linked threat actor intensifies cyberespionage operations targeting Russia and South Korea, report reveals
Konni, a threat actor linked to North Korea’s Kimsuky group, has intensified its cyber espionage operations against South Korea and Russia, using consistent tactics and evolving strategies, according to a report by Genians.
The cyber threat actor known as Konni, previously linked to the North Korean state-sponsored group Kimsuky, has been increasing its cyberespionage operations against targets in South Korea and Russia, according to a recent report by the South Korean cybersecurity firm Genians.
The report highlights that Konni employs consistent tactics, techniques, and procedures in its attacks on Moscow and Seoul, with cyberespionage as the primary objective. Since at least 2021, Konni has targeted entities such as the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia, and various South Korean organisations, including a tax law firm.
One notable incident occurred in January 2022, when Konni targeted Russian embassy diplomats with phishing emails disguised as New Year greetings, aiming to deliver malware. According to Genians, Konni’s malicious activities have been ongoing since 2014. In Russian and South Korean attacks, Konni uses similar methods to connect infected devices to hacker-controlled command servers (C2). Malicious modules are deployed through executable files, and the connection to the C2 server is established via internal commands.
Genians researchers emphasised that while Konni’s attack patterns have remained consistent over the years, the group has been incorporating new, anomalous tactics to enhance the success of their operations. They also noted that understanding the similarities in the group’s attacks across different regions could help security professionals better defend against and attribute these threats.