North Korean state hackers appear to be spying on Russia, inserting a backdoor into custom-built internal government software.
In mid-January 2024, a sample of the Konni backdoor was uploaded to VirusTotal. More interesting than the gift, though, was the packaging: It arrived bundled inside a Russian-language installer, apparently associated with a tool called “Statistika KZU” (Cтатистика КЗУ).
After further investigation, researchers from DCSO CyTec in Berlin we could not find any public documents or references to Statistika KZU. However, based on the installation paths, file metadata, and user manuals included in the installer, they deduced that it is a platform built for internal use within the Russian Ministry of Foreign Affairs (MID). Specifically, officials use it to securely transmit annual statistical reports from consular posts abroad (researchers noted that they were unable to definitively confirm its legitimacy, as they were unable to definitively test the functionality of the program is independent).
“It is interesting to note the use of a backdoor in the software used almost exclusively by the Russian Foreign Ministry,” says John Bambenek, president of Bambenek Consulting. “This shows that North Korea has done its research here to very specifically target its victims and, ironically, this is a more targeted and precise adaptation of the Russian intelligence approach.” used with NotPetya.”
The “enemy” information channels of Russia and North Korea
Russia and North Korea have a long-standing friendship, stronger today than ever. Its cyber criminals are also friends.
Yet behind the scenes, Kim Jong-Un’s hackers have a long history of spying on their northern neighbors. For no less than half a decade, state hackers carried out attacks specifically targeting Russian companies. They have since continued with similar activities, targeting campaigns against diplomats and political experts, the militaryand more. Konni took center stage in numerous of these incidents, including an extensive 2018 campaign which has overwhelmed Russian-speaking individuals and businesses.
Indeed, this latest Konni case may have only been possible due to earlier intelligence gathering efforts.
In its blog post, DCSO questioned how North Korea could have known about the Russian government’s internal software. “We are unable to offer any concrete conclusions in this regard,” they wrote, but added that “Konni-related activity aimed at the ultimate goals of Russian foreign policy, including the MID, has been observed for many years, providing potentially many opportunities for identification of internal tools. and subsequent acquisition or exfiltration for backdooring purposes.”
Spying on your friends may be crude, but “it is not uncommon for intelligence agencies to also spy on their perceived allies, if for nothing else, to obtain information that can help strengthen the relationship or identify and mitigate threats to the relationship,” Bambenek points out. out.