North Korea has been caught spying on Russia through the use of a backdoor planted within specialized internal government software. This revelation came to light when a sample of the Konni backdoor was uploaded to VirusTotal in mid-January 2024. What made this discovery even more intriguing was that the backdoor was concealed within a Russian-language installer associated with a tool known as “Statistika KZU” (Cтатистика КЗУ).
Upon closer inspection by researchers from Berlin’s DCSO CyTec, it was revealed that there were no public records or references to Statistika KZU. However, based on the install paths, file metadata, and user manuals included in the installer, they concluded that it was a platform designed for internal use within Russia’s Ministry of Foreign Affairs (MID). This software was primarily used by officials to securely transmit annual statistical reports from overseas consular posts. Despite not being able to independently test the program’s functionality, the researchers could not definitively confirm its legitimacy.
John Bambenek, president at Bambenek Consulting, highlighted the significance of using a backdoor in software exclusively utilized by the Russian Foreign Ministry. He noted that this demonstrates thorough research conducted by North Korean hackers in order to specifically target their victims. Interestingly, Bambenek compared this approach to the tactics employed by Russian intelligence with NotPetya, showcasing a more precise and targeted method of infiltration.
The relationship between Russia and North Korea is complex, with a longstanding friendship existing between the two countries. While their outward appearance may suggest camaraderie, behind the scenes, North Korean hackers have a history of spying on their northern neighbors. For over five years, state hackers have been orchestrating attacks aimed at Russian companies, diplomats, policy experts, the military, and more. Konni, the backdoor in question, has played a central role in numerous incidents involving espionage activities directed towards Russian-speaking individuals and businesses.
The recent discovery of the Konni backdoor in a Russian government software installer may have been facilitated by prior intelligence-gathering efforts. DCSO raised questions about how North Korea obtained information about internal Russian government software, speculating that years of Konni-linked activity targeting Russian foreign policy entities could have provided ample opportunities for the acquisition or exfiltration of internal tools for backdooring purposes.
Despite the unethical nature of spying on allies, intelligence agencies often resort to such tactics to gather insights that could either strengthen relationships or identify and mitigate potential threats. Bambenek aptly pointed out that such actions are not uncommon in the realm of international espionage.
In conclusion, the discovery of North Korean state hackers infiltrating Russian government software serves as a stark reminder of the intricate web of cyber espionage and the lengths to which nations will go to gain a competitive edge in the digital realm. The evolving landscape of cyber threats underscores the necessity for heightened vigilance and robust cybersecurity measures to safeguard sensitive government data from malicious actors.