Full Report
KONNI espionage crew covertly abused Google’s Find My Device feature to remotely factory-reset Android phones North Korean state-backed spies have found a new way to torch evidence of their own cyber-spying – by hijacking Google's "Find Hub" service to remotely wipe Android phones belonging to their South Korean targets.…
Analysis Summary
# Threat Actor: KONNI
## Attribution & Identity
**Attribution:** North Korean state-backed spies / Linked to North Korea's intelligence apparatus (DPRK).
**Aliases and Known Associations:** KONNI espionage crew. Overlaps infrastructure observed with other DPRK outfits (though specific overlapping groups are not named beyond "other DPRK outfits").
## Activity Summary
The activity described involves the KONNI group abusing Google's "Find My Device" service (via the "Find Hub") to remotely factory-reset Android smartphones and tablets belonging to their targets. This action serves to torch evidence of their cyber-spying operations by wiping personal data, messages, and potentially incriminating evidence from compromised devices. Victims were targeted in South Korea.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Approached victims via the South Korean messaging app KakaoTalk, sending files masquerading as benign content.
- **Execution/Defense Evasion:** Lured victims into installing signed MSI attachments or ZIP files.
- **Persistence/Command and Control:** Deployed AutoIT scripts to install Remote Access Trojans (RATs) including RemcosRAT, QuasarRAT, and RftRAT.
- **Credential Access:** Used installed RATs to harvest Google and Naver account credentials.
- **Impact/Action on Objectives (Lateral Movement/Anti-Forensics):** Used harvested legitimate credentials to access victims' profiles on the Google Find My Device platform.
- Triggered remote factory resets on the victim's Android devices.
- Exploited the victim's still-logged-in KakaoTalk desktop app **immediately after the wipe** to send malware-laden files to the victim's contacts, creating a secondary infection vector.
- Used the GPS location feature in Find My Device to identify when a target was outside and less likely to react quickly before executing the wipe command.
- Executed the wipe command multiple times in at least one incident to delay recovery.
- **Historical TTPs:** Previously engaged in traditional espionage tactics, including Windows malware campaigns, phishing, and deploying custom backdoors disguised as North Korea policy papers or government forms.
## Targeting
- **Sectors:** Government, military, and think tank sectors (historical focus).
- **Geography:** South Korea.
- **Victims:** Users of Android smartphones and tablets in South Korea.
## Tools & Infrastructure
- **Malware Families Used:** RemcosRAT, QuasarRAT, RftRAT (installed via AutoIT scripts).
- **Infrastructure:** Abused legitimate Google cloud infrastructure (Find My Device/Find Hub) after stealing credentials. Used KakaoTalk for initial delivery and subsequent lateral movement.
## Implications
This campaign marks an escalation in KONNI's mobile-focused tactics, demonstrating Pyongyang's growing aptitude for exploiting legitimate, trusted cloud services (like Google's device management) to achieve operational security (hiding tracks) and cause disruption. The destruction of forensic evidence via authorized cloud features poses a significant challenge to incident response.
## Mitigations
- Enable multifactor or biometric authentication on Find My Device tools and associated accounts (Google/Naver).
- Be cautious of unsolicited files received via KakaoTalk, even if appearing benign.
- Secure application sessions (e.g., ensure KakaoTalk desktop apps are logged out or secured, mitigating post-wipe lateral spread).