North Korean state hackers appear to be spying on Russia, by planting a backdoor inside of bespoke, internal government software.
In mid-January 2024, a sample of the Konni backdoor was uploaded to VirusTotal. More interesting than the gift, though, was the wrapping — it came bundled inside of a Russian-language installer, apparently associated with a tool called “Statistika KZU” (Cтатистика КЗУ).
Upon further investigation, researchers from Berlin’s DCSO CyTec were unable to find any public record or even references to Statistika KZU. Based on install paths, file metadata, and user manuals included in the installer, however, they deduced that it is a platform built for internal use within Russia’s Ministry of Foreign Affairs (MID). Specifically, officials use it to securely relay annual statistical reports from overseas consular posts (the researchers did note that they were unable to conclusively confirm its legitimacy, as they were unable to independently test the program’s functionality).
“The use of a backdoor in software used almost exclusively by the Russian Foreign Ministry stands out,” says John Bambenek, president at Bambenek Consulting. “It shows that the DPRK did their research here for a very specific hook into their victims, and is, ironically, a more targeted and precise adaptation of the approach Russian intelligence used with NotPetya.”
Russia & North Korea’s “Frenemy” Cyber Ways
Russia and North Korea have a longstanding friendship, as strong today as ever. Even its cybercriminals are friends.
And yet, behind the scenes, Kim Jong-Un’s hackers have an extensive history of spying on their northern neighbors. For no less than half a decade, state hackers have been carrying out attacks specifically targeting Russian companies. They’ve continued with similar activity ever since, aiming campaigns against diplomats and policy experts, the military, and more. Konni has taken center stage in a number of these incidents, including a broad 2018 campaign which swept up Russian-speaking individuals and businesses.
In fact, this latest Konni case may only have been possible thanks to prior information-gathering efforts.
In its blog post, DCSO wondered how the DPRK could’ve even known about internal Russian government software. “We are unable to offer any concrete conclusions in this regard,” they wrote, but added that “Konni-linked activity targeting Russian foreign policy end-targets including the MID has been observed for many years, potentially providing many opportunities for internal tool identification and subsequent acquisition or exfiltration for backdooring purposes.”
Spying on one’s friends may be uncouth, but “it is not uncommon for intelligence agencies to spy even on their putative allies, if for nothing else, for insights to either strengthen the relationship or to identify and mitigate threats to the relationship,” Bambenek points out.
