One employee's account was allegedly compromised
The North Korean hacker group APT37 attacked the Russian Foreign Ministry and its employees in late 2021 and subsequently compromised the account of a government employee, US information security experts have reported.
According to researchers at US cybersecurity companies Cluster25 and Black Lotus Labs, and later reported by Moscow daily Kommersant, a phishing campaign was targeted at the Ministry back in October. The researchers claim that some employees were sent archives of documents and asked to provide vaccination details, while others were fed with links to malware disguised as software the Russian government uses to collect Covid vaccination statuses. As a result, one account was compromised.
From the compromised address, hackers managed to send a phishing email to Russian Deputy Minister Sergey Ryabkov on December 20 and also targeted the Russian Embassy in Indonesia.
APT37 is well-known for using software called Konni, a remote administration tool. It has been reportedly used to target South Korea, as well as political organizations in Japan, India, and China, among other countries. According to Kommersant, the group has been around since at least 2017.
This latest accusation isn't the first time that North Korea has been blamed for attempted phishing attacks on Russia. In November last year, Kommersant reported that another hacker group, Kimsuky, sent phishing emails written on behalf of well-known Russian experts, scientists, and NGOs to experts on Korea in an attempt to obtain online login credentials.
Last week, Russian security services arrested a notorious group of hackers following information provided by US authorities. The Federal Security Service (FSB) detained people in Moscow, St. Petersburg, and Lipetsk Region who were allegedly members of REvil, a notorious ransomware group known for receiving millions in ransom payments.