Cyber Incident Victim: US municipal government
Date:
Jul 2019
Location:
United States of America
Summary
A U.S. government agency was compromised via phishing emails containing malicious Microsoft Word attachments disguised as geopolitical documents related to North Korea, sent from Russian email addresses. The campaign, attributed with moderate confidence to the KONNI threat group aligned with North Korean interests, deployed new CARROTBALL malware alongside the known CARROTBAT dropper, ultimately installing the SYSCON remote access trojan to establish command-and-control via FTP. Attackers evolved their tactics across multiple waves, shifting from document-embedded macros to binary-based payload delivery, demonstrating updated techniques while maintaining consistent objectives of stealthy remote access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between July and October 2019, a U.S. government agency and non-U.S. foreign nationals with professional ties to North Korea activities were targeted in a cyber campaign dubbed Fractured Statue. Attackers sent phishing emails from four Russian email addresses containing malicious Microsoft Word document attachments. These documents posed as lures discussing geopolitical relations and investment climate topics related to North Korea. Six unique document lures were deployed across three attack waves, with the first two waves distributing the CARROTBAT dropper malware. When opened, these documents executed macros that checked the victim's Windows architecture, ran hidden commands embedded in textboxes, then cleared evidence of malicious activity. The macros facilitated the download and installation of SYSCON, a full-featured remote access trojan using FTP for command-and-control communications.
The final wave in October 2019 introduced CARROTBALL, a new malware family delivered via an email titled "The investment climate of North Korea" from the address pryakhin20l0@mail[.]ru. This document contained an evolved macro technique that abandoned textbox commands in favor of embedded hex bytes delimited by pipe characters. Upon execution, the macro converted these hex bytes into a binary dropper file. While CARROTBALL represented a tactical evolution, the campaign maintained consistent infrastructure and objectives with prior KONNI group operations dating to November 2018. Researchers attributed the activity with moderate confidence to KONNI, a threat actor historically aligned with North Korean interests, though noted the possibility of false-flag emulation by other groups. The SYSCON RAT's deployment provided attackers persistent access to compromised systems, though specific operational impacts on the U.S. agency were not publicly disclosed. Palo Alto Networks' Unit 42 documented the campaign's technical progression but highlighted challenges in definitive attribution due to overlapping tactics across threat groups.