Fresh evidence has come to light suggesting that a recent cyberattack campaign leveraged against the Russian state continued for far longer than was initially thought.
The findings come as a result of analysis by a threat intelligence team at Black Lotus Labs; the specialists concluded that the strike on the Russian Ministry of Foreign Affairs (MID) may have gone on for as long as three months.
The highly targeted campaign included the deployment of the Konni RAT – a malicious Remote Access Trojan that researchers and governments believe is a tool that has been used by the Democratic People’s Republic of Korea (DPRK) since 2014.
Mark Dehus, director of threat intelligence at Black Lotus Labs, said:
“This activity cluster demonstrates the patient and persistent nature of advanced actors who wage multi-phased campaigns against perceived high-value networks,”
“If actors attempt to infiltrate the Russian Ministry of Foreign Affairs, what’s to stop them from attempting to use these same tactics on other governments or high-profile businesses? For this reason, it is vital for defenders to understand advanced actors’ evolving capabilities and tradecraft used to infect coveted targets,” Mark Dehus added.
Timeline of observed events
The series of persistent actions against Russia’s MID occurred from October to December 2021 began when the bad actors set up spoofed hostnames to harvest credentials of an active MID account.
In November, the attackers used social engineering to lure recipients into downloading malware disguised as software the Russian government uses to collect Covid vaccination statuses.
Then in December, the attackers used the previously acquired credentials to spear-phish high-value targets with a Happy New Year-themed message. If invoked, a loader nearly identical to the one observed in November would deploy a sophisticated infection chain resulting the Konni RAT, as previously reported by Cluster25.
The attack is being regarded as highly significant among governments and corporations worldwide, not least because of the attacks high-level profile. A main target was Sergey Alexeyevich Ryabko, deputy foreign minister for the Russian Federation, among other Russian government officials.
According to a cached version of the MID’s website – which has since gone offline – Ryabko is responsible for bilateral relations with North and South America, non-proliferation and arms control, Iran’s nuclear program and Russia’s participation in the BRICS association.