Skip to content

North Korean hackers infiltrate Russian Foreign Affairs Ministry

  • by
  • 2 min read

Hackers allegedly working for the North Korean government compromised the email account of a staff member at the Russian Ministry of Foreign Affairs. The hacked account was used to deploy spear-phishing attacks on the country’s diplomats in other regions. 

The campaign is believed to have been running since at least October 19 2021, and works on the Konni malware. Konni is a remote administration tool associated with the previous activity from a North Korean hacker group known as APT37 or Group 123.

The attacks were being tracked by cybersecurity firm Cluster25 and Black Lotus Labs. Cluster 25 published a report on January 3 detailing the attacks.

Also read: PCIe 6.0 finalised specs released: Doubled bandwidth and power efficiency

An unpleasant back and forth?

Cluster25’s report details the attack vector as a spear-phishing theme for New Year’s festivities as bait. Once the malicious email attachment is opened and executed, the Konni RAT is deployed as the final payload.

The first emails were sent to the staff at the Russian embassy in Indonesia and politician Sergey Alexeyevich Ryabkov, Russia’s current Deputy Foreign Minister, who is also responsible for bilateral relationships with North and South America. The email consisted of a congratulatory message coming from fellow diplomates at the embassy in Serbia, sending a zip archive along with a holiday screensaver.

North Korean hackers infiltrate Russian Foreign Affairs Ministry
An overview of the campaign against the Russian Foreign Ministry | Source: Black Lotus Labs

When extracted, the file contained an executable that delivered the payload disguised as a Windows service called scrnsvc.dll. The attackers relied on spoofed hostnames for common Russian email services, including and Yandex.

Another campaign that came to light started around November 7 and delivered URLs for downloading an archive with documents, asking for information on vaccination status.

According to Black Lotus Labs, the campaign intercepted by Cluster25 was the third one, coming from the same threat actor and using the compromised ‘’ account to send out the malicious emails. The email headers revealed that the emails originated from the same IP address. Further technical analysis of the payload chain from Black Lotus Labs confirms Cluster25’s findings. 

In the News: Log4j’s vulnerable versions have over 4 million downloads since disclosure

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: