The North Korean threat group Konni (Opal Sleet, TA406) has been targeting Ukrainian government entities with sophisticated phishing campaigns to gather intelligence related to the Ukraine conflict. This effort appears aimed at assessing military support feasibility and the political environment amid ongoing hostilities.
Affected: Ukrainian government systems, military and political organizations
Affected: Ukrainian government systems, military and political organizations
Keypoints
- North Korean group Konni is targeting Ukrainian government entities for intelligence collection related to the Ukraine conflict.
- The attackers impersonate think tanks and reference political or military developments in phishing emails.
- The campaigns use email services like Gmail, ProtonMail, and Outlook to distribute malicious links.
- Infections involve downloading password-protected RAR archives containing CHM files that execute PowerShell scripts.
- The malicious PowerShell gathers reconnaissance data and establishes persistence on infected systems.
- Variants of the attack utilize HTML attachments with ZIP archives, benign PDFs, and malicious LNK files to deliver payloads.
- Konni also previously targeted the same individuals with credential-harvesting emails spoofing Microsoft alerts.