Ta406

Threat Actor updated 7 months ago (2024-05-04T17:49:22.885Z)

Download STIX

Preview STIX

TA406, also known as the Konni Group or Kimsuky, is a state-sponsored cybercrime organization based in North Korea. This threat actor has been implicated in numerous cyber espionage activities, targeting entities such as news media organizations, academic institutions, and think tanks. The group gained notoriety for its sophisticated attacks, which often involve integrating malware into software installation processes. One notable instance involved the group obtaining installer packages for Statistika KZU and incorporating the Konni malware into the installation process. In June 2023, U.S. and South Korean intelligence agencies issued warnings about cyberespionage attacks by Kimsuky. These alerts were directed at news media organizations, academic entities, and think tanks, highlighting the group's broad range of targets. Additionally, the group has been observed using commodity Remote Access Trojans (RATs) with custom Gold Dragon backdoors, further demonstrating their technical capabilities and malicious intent. More recently, in February 2024, TA406 was reported to have targeted Russia, compromising an installer for software used by the Russian Ministry of Foreign Affairs. The attack involved deploying the Konni RAT backdoor, also known as UpDog, which triggered an infection sequence upon opening the trojanized installer. This incident underscores the group's ongoing threat and its ability to infiltrate high-level government systems, emphasizing the need for robust cybersecurity measures against such advanced persistent threats.

Description last updated: 2024-05-04T17:24:30.751Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
KONNI is a possible alias for Ta406. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba	2
Konni Group is a possible alias for Ta406. The Konni Group, also known as TA406, is a threat actor believed to be associated with North Korean cyberespionage activities. According to cybersecurity firm DuskRise, the group has been involved in sophisticated cyberattacks, including one where they compromised a foreign ministry email account to	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ta406 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Les dernières cyberattaques (5 mars 2024) • Cybersécurité OSINT
BankInfoSecurity	9 months ago	North Korean Group Seen Snooping on Russian Foreign Ministry
CERT-EU	9 months ago	Konni RAT deployed via backdoored Russian government tool installer
CERT-EU	a year ago	Anonymous Sudan claims DDoS attacks against Microsoft Outlook
CERT-EU	a year ago	Target of North Korean APT attack spills details of recent Kimsuky campaign
CERT-EU	a year ago	Kimsuky Strikes Again: New Campaign Targets Credentials and Intelligence