North Korean state-sponsored hackers, identified as the Konni group, have launched a sophisticated cyberattack targeting South Koreans by exploiting Google's Find Hub service to remotely wipe data from compromised devices. This marks a significant escalation in tactics, as the group weaponizes legitimate tools for destructive purposes and leverages social engineering through popular platforms like KakaoTalk to spread malware.

Key Takeaways

• North Korean Konni hackers are using Google's Find Hub to remotely wipe data from Android devices.

• The attacks begin with spear-phishing emails, impersonating legitimate entities like the National Tax Service.

• Compromised KakaoTalk accounts are used to distribute malware to contacts.

• This is the first known instance of a North Korean APT group using legitimate device management functions for destructive attacks.

Exploiting Trust and Legitimate Tools

The Konni group, also known by aliases such as Earth Imp and Opal Sleet, has been observed targeting both Android and Windows devices. Their modus operandi involves impersonating psychological counselors and North Korean human rights activists to distribute malware disguised as stress-relief programs. The initial infiltration often occurs through spear-phishing emails that mimic official communications, such as those from the National Tax Service, tricking recipients into opening malicious attachments. These attachments can deliver remote access trojans (RATs) like Lilith RAT, allowing attackers to gain extensive control over compromised machines.

Remote Data Wiping via Google's Find Hub

A particularly concerning aspect of these attacks is the exploitation of Google's Find Hub (formerly Find My Device). After gaining access to a victim's computer and potentially stealing Google account credentials, the attackers log into Find Hub to remotely reset the device. This action leads to the unauthorized deletion of all personal data, effectively rendering the device useless and causing significant disruption. The attackers have also been observed covering their tracks by deleting security alert emails from Google accounts and emptying trash folders.

KakaoTalk as a Propagation Vector

Adding another layer to their attack chain, the Konni hackers leverage compromised KakaoTalk PC accounts to distribute malicious payloads to the victim's contacts. These payloads are often delivered as ZIP archives containing malicious Microsoft Installer (MSI) packages. The MSI packages may abuse valid digital signatures to appear legitimate. Once executed, they can install various RATs, including Lilith RAT, EndRAT, Remcos RAT, Quasar RAT, and RftRAT, enabling further command and control, data exfiltration, and system monitoring.

Unprecedented Tactics and Evolving Threats

Cybersecurity firm Genians, which identified these attacks, noted that this combination of device neutralization and account-based propagation is unprecedented among known state-sponsored APT scenarios. This demonstrates a growing tactical maturity and advanced evasion strategy by North Korean threat actors. Google has stated that these attacks do not exploit any security flaws in Android or Find Hub but rather rely on stolen credentials and the abuse of legitimate functions. They recommend users enable 2-Step Verification and consider the Advanced Protection Program for enhanced security.

Sources

• Konni Hackers Turn Google's Find Hub into a Remote Data-Wiping Weapon, The Hacker News.

• North Korean hackers weaponise Google, KakaoTalk in first-of-its-kind cyberattack targeting South Koreans |Malay Mail, Malay Mail.