Please update your browser.

Our site no longer supports this browser. Using another one will help provide a better experience.

Menu

News Releases

New evidence from Lumen reveals Konni attack on Russia lasted three months
January 6, 2022
Persistent campaign began in October 2021; actor modified lures from Covid to New Year's messages

DENVER, Jan. 6, 2022 /PRNewswire/ -- Researchers at Black Lotus Labs®, the threat intelligence team at Lumen Technologies, discovered new evidence of a months-long campaign against the Russian Ministry of Foreign Affairs (MID). The highly targeted campaign included the deployment of the Konni RAT – a malicious Remote Access Trojan that researchers and governments believe is a tool used by the Democratic People's Republic of Korea (DPRK) since 2014.

Black Lotus Labs discovered new evidence of a months-long campaign against the Russian Ministry of Foreign Affairs.

"This activity cluster demonstrates the patient and persistent nature of advanced actors who wage multi-phased campaigns against perceived high-value networks," said Mark Dehus, director of threat intelligence at Black Lotus Labs. "If actors attempt to infiltrate the Russian Ministry of Foreign Affairs, what's to stop them from attempting to use these same tactics on other governments or high-profile businesses? For this reason, it is vital for defenders to understand advanced actors' evolving capabilities and tradecraft used to infect coveted targets."

Read the full blog here.

Timeline of Observed Events

The series of persistent actions against Russia's MID occurred from October to December 2021 as follows:

  • In October, the actors set up spoofed hostnames to harvest credentials of an active MID account.
  • In November, the attackers used social engineering to lure recipients into downloading malware disguised as software the Russian government uses to collect Covid vaccination statuses.
  • In December, the attackers used the previously acquired credentials to spear-phish high-value targets with a Happy New Year-themed message. If invoked, a loader nearly identical to the one observed in November would deploy a sophisticated infection chain resulting the Konni RAT, as previously reported by Cluster25.

Why This Attack is Significant

  • One of the high-profile targets included Sergey Alexeyevich Ryabko, deputy foreign minister for the Russian Federation, among other Russian government officials.
  • According to a cached version of the MID's website – which has since gone offline – Ryabko is responsible for bilateral relations with North and South America, non-proliferation and arms control, Iran's nuclear program and Russia's participation in the BRICS association.

Black Lotus Labs' Response

  • Black Lotus Labs successfully blocked the threat actor's infrastructure across the Lumen global IP network to protect its customers and the broader internet from being targeted.
  • The team continues to follow this activity to detect and disrupt similar campaigns, and it encourages other organizations to alert on these and similar indicators in their environments.

Additional Resources

About Lumen Technologies

Lumen is guided by our belief that humanity is at its best when technology advances the way we live and work. With approximately 450,000 route fiber miles and serving customers in more than 60 countries, we deliver the fastest, most secure platform for applications and data to help businesses, government and communities deliver amazing experiences. Learn more about the Lumen network, edge cloud, security, communication and collaboration solutions and our purpose to further human progress through technology at news.lumen.com/home, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies and YouTube: /lumentechnologies. Lumen and Lumen Technologies are registered trademarks.

SOURCE Lumen Black Lotus Labs

For further information: Media Contact: Suzanne K. Dawe, Lumen Public Relations, Connected Security | Black Lotus Labs, 720.217.5476, suzanne.dawe@lumen.com
Latest News
December 17, 2024

Lumen® Private Connectivity Fabric℠ will expand Prometheus' network capacity across its growing data center footprint DENVER, Dec. 17, 2024 /PRNewswire/ -- Prometheus Hyperscale has chosen...

November 26, 2024

Lumen Technologies, Inc. (NYSE: LUMN) (the "Company" or "Lumen") announced today the expiration and results of the cash tender offers (the "Amended Offers") of Lumen and its indirect, wholly-owned...

November 19, 2024

Results are set forth below for (i) Lumen's tender offers for its unsecured senior notes maturing in 2025, 2026 and 2027 and (ii) Level 3's tender offers for its unsecured senior notes maturing in...

More news