Full Report
The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations. [...]
Analysis Summary
# Threat Actor: North Korea (Implied State-Sponsored Actor)
## Attribution & Identity
The threat actor is strongly implied to be North Korea, conducting cyberspying operations focused on Ukraine. No specific traditional aliases (like Lazarus, Andariel) are mentioned in this context, but the activity is described as state-sponsored.
## Activity Summary
The actor is ramping up cyberspying activities against Ukraine to assess the risk to North Korean forces in the theatre and to gauge the likelihood of Russia requesting further military support. They have executed preparational attacks aimed at harvesting account credentials, leveraging emails spoofing Microsoft security alerts. The primary observed campaign involves sophisticated spear-phishing to deliver reconnaissance and persistence mechanisms.
## Tactics, Techniques & Procedures
- **Spearphishing Attachments:** Sending malicious emails impersonating fictitious think tanks discussing sensitive Ukrainian issues (e.g., military dismissals, presidential elections).
- **Delivery via Cloud Storage:** Using links pointing to MEGA hosting services to deliver password-protected archives (.RAR).
- **Archive Malicious Payloads:** Utilizing password-protected archives containing files like `.CHM` (Compiled HTML Help) to conceal the initial payload.
- **Multi-stage PowerShell Execution:** Initial compromise involves embedded PowerShell within the main file, which downloads and runs a second-stage PowerShell script for reconnaissance and persistence.
- **Alternative Delivery Vectors:** Observing variants using HTML attachments dropping ZIP archives containing benign PDFs alongside malicious LNK files, leading to PowerShell and VBScript execution.
- **Credential Harvesting:** Employing phishing sites disguised as Microsoft security alerts ("unusual sign-in activity") to steal user credentials.
**MITRE ATT&CK IDs (Implied, not explicitly listed):**
* (T1566.001) Phishing: Spearphishing Attachment
* (T1059.001) Command and Scripting Interpreter: PowerShell
* (T1547.001) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by persistence mechanism)
## Targeting
- **Sectors:** Government entities (implied by the focus on war risk assessment and military leadership).
- **Geography:** Ukraine.
- **Victims:** Ukrainian organizations and individuals of interest to North Korean intelligence.
## Tools & Infrastructure
- **Malware Families Used:** The final payload (backdoor/espionage malware) was not retrieved by researchers, but the initial execution leverages **PowerShell** and **VBScript**.
- **Infrastructure:**
- **Delivery/Hosting:** MEGA hosting service (used for hosting step 2 archives).
- **Email Services:** Compromised or utilized freemail services (Gmail, ProtonMail, Outlook) for delivery.
- **Credential Phishing Site:** `jetmf[.]com` (Defanged: jetmf[.]com).
## Implications
This activity signifies North Korea's direct involvement in cyber operations targeting the geopolitical landscape of the war in Ukraine. The intelligence gathering objective seems aimed at advising Pyongyang’s strategic posture regarding Russia and the ongoing conflict. The use of sophisticated multi-stage delivery chains, including cloud hosting and layered scripting, indicates a persistent and well-resourced espionage campaign.
## Mitigations
- **Email Security:** Enhance filtering for emails containing links to unusual file-sharing services (like MEGA) or archives that trigger scripting upon execution.
- **Endpoint Detection & Response (EDR):** Implement behavior-based detection for the sequence of LNK/CHM file execution followed by PowerShell or VBScript launching and network beaconing.
- **Credential Defense:** Educate users against highly targeted spear-phishing, especially those impersonating IT security alerts (like Microsoft) requesting login verification. Enforce Multi-Factor Authentication (MFA) everywhere, especially on high-value government accounts.
- **Script Control:** Implement robust script control policies to restrict execution paths for PowerShell and VBScript, particularly when launched from atypical file types (.CHM, .LNK).