DENVER, January 6, 2022 / PRNewswire / – Researchers from Black Lotus Labs®, the threat intelligence team Light technologies, discovered new evidence of a months-long campaign against the Russian Foreign Ministry (MID). The highly targeted campaign included the deployment of the Konni RAT – a malicious remote access Trojan that researchers and governments believe is a tool used by the Democratic People’s Republic of Korea (DPRK) since 2014.
“This group of activities demonstrates the patient and persistent nature of advanced players who conduct multi-phased campaigns against perceived high value-added networks,” said Marc Dehus, director of threat intelligence at Black Lotus Labs. “If actors are trying to infiltrate the Russian Foreign Ministry, what stops them from trying to use these same tactics against other governments or top companies? For this reason, it is essential that defenders understand the evolving abilities of advanced players and the craft used to infect coveted targets. “
Read the full blog here.
Chronology of observed events
The series of persistent actions against that of Russia MID took place from October to december 2021 as following:
- In October, actors implemented spoofed hostnames to harvest credentials for an active MID account.
- In November, attackers used social engineering to trick recipients into downloading malware disguised as software that the Russian government uses to collect Covid vaccination statuses.
- In December, attackers used previously acquired credentials to spear high-value targets with a Happy New Year-themed message. If summoned, a charger almost identical to the one seen in November would deploy a sophisticated chain of infection resulting from the Konni RAT, as before. reported by Cluster25.
Why this attack is important
- One of the prominent targets included Sergey Alexeyevich Ryabko, deputy foreign minister of the Russian Federation, among other representatives of the Russian government.
- According to a cached version of the MID website – which has since gone offline – Ryabko is responsible for bilateral relations with the North and South America, non-proliferation and arms control, Iran nuclear program and that of Russia participation in the BRICS association.
Black Lotus Labs Response
- Black Lotus Labs successfully blocked the threat actor’s infrastructure on Lumen’s global IP network to protect its customers and the wider Internet from being targeted.
- The team continues to monitor this activity to detect and disrupt similar campaigns, and they encourage other organizations to alert to these and similar metrics in their environments.
About Lumen Technologies
Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 450,000 kilometers of optical fiber and serving customers in more than 60 countries, we offer the fastest and most secure platform for applications and data to help businesses, governments and communities to deliver incredible experiences. Learn more about the Lumen network, the edge cloud, security, communication and collaboration solutions, and our goal of enabling human progress through technology on news.lumen.com/home, LinkedIn: / lumentechnologies, Twitter: @lumentechco, Facebook: / lumentechnologies, Instagram: @lumentechnologies and YouTube: / lumentechnologies. Lumen and Lumen Technologies are registered trademarks.
SOURCE Lumen Black Lotus Labs