North Korea’s cyber-espionage efforts have been directed at infiltrating the Russian Ministry of Foreign Affairs, according to a German cybersecurity firm, which has discovered a malware sample concealed within a backdoored software installer for Moscow.
This malware, identified as KONNI, which has been a part of Pyongyang’s cyber arsenal since at least 2014, was embedded within an installer for “Statistika KZU,” software purportedly designed for the Russian Ministry of Foreign Affairs’ internal use in securely transmitting documents, said Deutsche Cyber-Sicherheitsorganisation, or DCSO, on Thursday.
A “backdoored software” allows access to a system without normal authentication procedures, which means that hackers can gain unauthorized access without operator approval to view, alter or delete internal material.
This tactic of disguising malware within legitimate software installers mirrors a previous instance in 2023, where a similar method was employed with a compromised installer for “Spravki BK,” a tax filing software mandated by the Russian state, DCSO added.
“In spite of this evolving strategic relationship, however, DPRK nexus cyberespionage efforts against Russian targets of interest in sensitive sectors such as government or defense appear to be ongoing,” said the German firm. DPRK, or the Democratic People’s Republic of Korea, is North Korea’s official name.
DCSO’s discovery comes amid increasing geopolitical proximity between Moscow and Pyongyang. The two countries held a high-profile summit in September 2023, with media reports suggesting that large-scale transfers of artillery ammunition from the North to Russia had taken place in order to support Moscow’s ongoing invasion effort in Ukraine, likely in exchange for technical support in areas of key interest to Pyongyang.
Most recently, Russian President Vladimir Putin presented North Korean leader Kim Jong Un with a Russian-made passenger car, as reported by the North Korean media on Tuesday. Later it was confirmed that the car presented to Kim was an Aurus Senat,the "Russian equivalent of Rolls-Royce."
Cyberespionage by Pyongyang targeting critical Russian sectors has not been unheard of.
In 2019, the U.S.-based Check Point Research highlighted a “coordinated North Korean attack against Russian entities utilizing familiar North Korea cyber tools. Separately, in 2020, Russian media reported activities of the Kimsuky cluster, allegedly affecting entities like the Russian defense giant Rostec.
Edited by Elaine Chan and Mike Firn.