CyberSecurity news
FlagThis
@securityonline.info
//
North Korean state-sponsored threat group Konni, also known as Opal Sleet or TA406, has been observed actively targeting Ukrainian government entities in cyber espionage campaigns. These operations focus on gathering strategic intelligence related to the ongoing conflict between Russia and Ukraine. The group utilizes phishing campaigns to collect information on the trajectory of the Russian invasion, indicating North Korea's sustained interest in the geopolitical dynamics and its willingness to leverage cyber capabilities for strategic advantage.
TA406's cyber espionage activities involve sophisticated social engineering tactics, often impersonating fictitious think tanks, such as the "Royal Institute of Strategic Studies." These phishing emails are laced with lure content relevant to current Ukrainian political events, particularly those surrounding former military leader Valeriy Zaluzhnyi. The attackers use password-protected RAR files hosted on MEGA, containing .CHM files with embedded PowerShell scripts, or HTML files and LNK shortcuts to initiate the infection.
Once a target is compromised, PowerShell scripts are executed to gather extensive system information, including network configurations, system details, and WMI queries. This collected data is then Base64-encoded and transmitted to external servers, enabling the attackers to gain a comprehensive understanding of the targeted systems. The group employs various persistence mechanisms, such as installing batch files as autorun files and utilizing scheduled tasks to ensure continued access to compromised machines.
ImgSrc: securityonline.
References :
TA406's cyber espionage activities involve sophisticated social engineering tactics, often impersonating fictitious think tanks, such as the "Royal Institute of Strategic Studies." These phishing emails are laced with lure content relevant to current Ukrainian political events, particularly those surrounding former military leader Valeriy Zaluzhnyi. The attackers use password-protected RAR files hosted on MEGA, containing .CHM files with embedded PowerShell scripts, or HTML files and LNK shortcuts to initiate the infection.
Once a target is compromised, PowerShell scripts are executed to gather extensive system information, including network configurations, system details, and WMI queries. This collected data is then Base64-encoded and transmitted to external servers, enabling the attackers to gain a comprehensive understanding of the targeted systems. The group employs various persistence mechanisms, such as installing batch files as autorun files and utilizing scheduled tasks to ensure continued access to compromised machines.
ImgSrc: securityonline.
Share:
References :
- thehackernews.com: North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress
- BleepingComputer: North Korea ramps up cyberspying in Ukraine to assess war risk
- BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
- securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
- securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
Classification:
- HashTags: #KonniAPT #Ukraine #CyberEspionage
- Company: Proofpoint
- Target: Ukrainian government entities
- Attacker: North Korean
- Product: malware
- Feature: phishing
- Malware: LOSTKEYS
- Type: Espionage
- Severity: Medium