Hackers spearphished U.S. government agency with North Korea-related content last year

Palo Alto Networks' Unit 42 found more activity that appears to be from a group that so far has evaded attribution, but has shown certain habits in its spearphishing campaigns.
(Getty Images)

In the second half of 2019, a U.S. government agency was targeted by repeated spearphishing attempts that could be from a mysterious group that has evaded attribution for years, according to new research issued Thursday by security firm Palo Alto Networks.

The campaign, waged between July and October of 2019, targeted one U.S. government agency, which researchers at Palo Alto Networks’ Unit 42 do not identify, as well as two unnamed foreign nationals who are “professionally affiliated with” North Korea.

The contents of the emails, which were sent with malicious files attached, touched on North Korean geopolitical topics, such as the possibility of a dialogue between Washington and Pyongyang or Russian-North Korean trade issues.

Unit 42’s report does not say whether the spearphishing campaign was successful.


The suspected hacking group — which Unit 42 and researchers from Cisco Talos have detailed in previous research — is known to target entities and individuals “who have interest in, are directly linked to, or conduct business in North Korea,” according to Unit 42.

Opening the attached files could allow the hackers to gain remote access to a machine, and in some cases, possibly deliver malicious software, establishing persistence on a network, Unit 42 said.

“The documents themselves were rather generic and had no embedded image enticements to enable macros,” the Unit 42 researchers write. “They did, however, leverage second-stage downloader components.”

The group has used remote access trojans (RAT) to steal files, record keystrokes, take screenshots, and execute arbitrary code in the past, according to Cisco Talos.

Hackers with links to North Korea often use spearphishing schemes that resemble this campaign to steal information. Just last month, Microsoft announced it had taken over dozens of websites used by suspected North Korean hackers in attempted spearphishing-related schemes that targeted government employees and nuclear organizations.


The dates cited by Unit 42 match up with a period when tensions mounted over flagging denuclearization talks between the Trump administration and Kim Jong-un’s regime.

Stealth in the scheming

The spearphishing campaign, which Unit 42 has dubbed “Fractured Statue,” ran in three separate waves, trying to activate a series of different downloaders.

One particular spate of spearphishing attempts, in which the hackers sent a downloader dubbed “CARROTBALL” that delivered a specific kind of malware called “SYSCON,” was designed to evade detection.

That particular campaign would use File Transfer Protocol to allow the hackers to maintain network communications with compromised systems, according to Unit 42. After the hackers’ command and control is established, they could also deliver four more malicious files which could be used to establish persistence on victim machines and delete signs of malware.


And although the targets were North Korean-linked individuals or those working at a U.S. government agency, the emails and files the group sent last year were written primarily in Russian and emanated from Russian email addresses, according to Unit 42.

The hackers tailored some of their scheme to certain machines; they designed the macro code to check for whether the victim’s computer was using Windows with an x86 or x64 architecture, according to Unit 42.

Konni connection?

Unit 42 assesses with “moderate confidence” the spearphishing campaign is by the same hackers who make up the so-called Konni Group, which has been known to target people with an interest in North Korea or who are linked to North Korea.

The group first got its name thanks to the RAT it used between 2014 and 2017 called “Konni,” according to Talos.


In this most recent campaign, the hackers did not use the Konni RAT, but the downloaders they deployed are largely the same ones that the Konni Group has been using since 2017, according to Unit 42.

It’s always possible the campaign is by another actor running a “false flag” operation to disguise itself.

“[C]opycat actors may attempt to emulate previously observed TTPs to hinder attribution efforts or perform false-flag operations,” the researchers wrote in a blog post.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts