Konni Group

Threat Actor updated a month ago (2024-11-29T14:06:00.489Z)

Download STIX

Preview STIX

The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to send a Trojanized .zip file to the Indonesian embassy, making it seem like the email originated from the Russian Embassy in Serbia. The group's activities are not confined to targeting adversaries; despite Russia and North Korea's close ties, Russian government organizations have frequently been on the receiving end of their attacks. The Konni Group's modus operandi often involves working in sync with other North Korean cyberespionage groups such as Kimsuky Group and APT37. They are known for their targeted attacks on Russian foreign policy targets, following a pattern similar to the 2021 campaign uncovered by Lumen and Cluster25 researchers. In October, DCSO researchers revealed that the Konni Group had injected their malware into an installer for Russian tax filling software, Spravki BK, further demonstrating their consistent focus on Russian targets. The group has also shown its capability to compromise software installers, as seen when they obtained packages for Statistika KZU and integrated their malware into the installation process. This tactic allows them to infiltrate systems unnoticed and conduct espionage activities. Their activities highlight the persistent threat posed by state-sponsored cyber-espionage groups, underscoring the need for robust cybersecurity measures within government organizations and critical infrastructure.

Description last updated: 2024-03-06T05:21:43.944Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ta406 is a possible alias for Konni Group. TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gai	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The KONNI Malware is associated with Konni Group. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba	Unspecified	2

Source Document References

Information about the Konni Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	2 years ago	The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks
BankInfoSecurity	a year ago	North Korean Group Seen Snooping on Russian Foreign Ministry
CERT-EU	10 months ago	Les dernières cyberattaques (5 mars 2024) • Cybersécurité OSINT