North Korean state hackers look like spying on Russia, by planting a backdoor inside bespoke, inside authorities software program.
In mid-January 2024, a pattern of the Konni backdoor was uploaded to VirusTotal. Extra attention-grabbing than the reward, although, was the wrapping — it got here bundled inside a Russian-language installer, apparently related to a device referred to as “Statistika KZU” (Cтатистика КЗУ).
Upon additional investigation, researchers from Berlin’s DCSO CyTec had been unable to search out any public document and even references to Statistika KZU. Primarily based on set up paths, file metadata, and consumer manuals included within the installer, nonetheless, they deduced that it’s a platform constructed for inside use inside Russia’s Ministry of Overseas Affairs (MID). Particularly, officers use it to securely relay annual statistical stories from abroad consular posts (the researchers did observe that they had been unable to conclusively affirm its legitimacy, as they had been unable to independently take a look at this system’s performance).
“The usage of a backdoor in software program used nearly completely by the Russian Overseas Ministry stands out,” says John Bambenek, president at Bambenek Consulting. “It exhibits that the DPRK did their analysis right here for a really particular hook into their victims, and is, sarcastically, a extra focused and exact adaptation of the method Russian intelligence used with NotPetya.”
Russia & North Korea’s “Frenemy” Cyber Methods
Russia and North Korea have a longstanding friendship, as sturdy in the present day as ever. Even its cybercriminals are mates.
And but, behind the scenes, Kim Jong-Un’s hackers have an intensive historical past of spying on their northern neighbors. For a minimum of half a decade, state hackers have been finishing up assaults particularly focusing on Russian corporations. They’ve continued with comparable exercise ever since, aiming campaigns towards diplomats and coverage consultants, the army, and extra. Konni has taken middle stage in quite a lot of these incidents, together with a broad 2018 marketing campaign which swept up Russian-speaking people and companies.
In reality, this newest Konni case could solely have been doable because of prior information-gathering efforts.
In its weblog publish, DCSO questioned how the DPRK might’ve even recognized about inside Russian authorities software program. “We’re unable to supply any concrete conclusions on this regard,” they wrote, however added that “Konni-linked exercise focusing on Russian international coverage end-targets together with the MID has been noticed for a few years, probably offering many alternatives for inside device identification and subsequent acquisition or exfiltration for backdooring functions.”
Spying on one’s mates could also be uncouth, however “it’s not unusual for intelligence companies to spy even on their putative allies, if for nothing else, for insights to both strengthen the connection or to establish and mitigate threats to the connection,” Bambenek factors out.
