American information security experts from Cluster25 and Black Lotus Labs discovered cyberattacks on employees of the Russian Foreign Ministry before the New Year holidays. They were allegedly carried out by the North Korean hacker group Konni.
According to Black Lotus Labs, the attackers began a phishing campaign back in October. They sent some diplomats archives with information about vaccination data and sent others links to download a fake program for registering vaccinated people on the federal vaccine registry. As a result, the account of one of the employees of the Foreign Ministry (mshhlystova@mid.ru) was compromised. From this address, hackers sent a phishing email to Deputy Minister Sergei Ryabkov at SRyabkov@mid.ru on December 20.
In addition, Cluster25 reported that another letter, which contained an infected archive was sent on December 20 to the Russian Embassy in Indonesia, the sender was listed as the diplomatic mission in Serbia.
The Russian Foreign Ministry confirmed that the attack was real. "However, the attack was timely detected and localized by standard means of active protection of the ministry's information infrastructure and did not spread further," the Foreign Ministry said.
The ministry stressed that the phishing attack had no destructive impact on the information infrastructure of the Foreign Ministry.
As Anastasia Tikhonova, the head of the Group-IB threat research group explained, American experts could take examples of emails from the VirusTotal (VT) service, which analyzes suspicious files. According to her, one of these letters was posted there on the day of the attack, December 20.
It should be noted that the Konni group (APT37) has been known since 2017. In its attacks, it used, in particular, documents related to Russia-DPRK relations, taking texts from public sources. Kaspersky Lab cybersecurity expert Denis Legezo said that Konni can send a corrupted PDF file. The recipient cannot open it, and attackers under the guise of a reader send him an infected program.