Ethical Hacking News
North Korea's KONNI group has found a new way to destroy evidence by hijacking Google's Find My Device service, highlighting the growing risk for anyone relying on "lost device" features that are tied to online identity systems. This exploit underscores the need for users to be cautious when using cloud services that rely on online identity systems.
The KONNI group from North Korea hijacked Google's Find My Device service to trigger factory resets on compromised smartphones and tablets. The attackers used stolen account credentials harvested through spear-phishing or fake login pages to access the Find My Device platform. The hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise. The attack began with a phishing campaign on the popular South Korean messaging app KakaoTalk. The attackers used malware to harvest Google and Naver account credentials, enabling them to manipulate cloud services. The hackers exploited the victim's still-logged-in KakaoTalk desktop app to spread malware-laden files to their contacts.
North Korea's notorious KONNI group has found a new way to destroy evidence of their cyber-spying activities by hijacking Google's Find My Device service. This remote-wipe tool, which was designed to help users locate lost or stolen Android devices, became the target of an ingenious exploit that allowed North Korean state-backed spies to trigger factory resets on compromised smartphones and tablets.
The KONNI group, linked for years to North Korea's intelligence apparatus, has a history of espionage operations aimed at Seoul's government, military, and think tank sectors. Their latest campaign marks an escalation in their mobile-focused tactics, showcasing that Pyongyang's cyber operators are increasingly adept at exploiting legitimate cloud services to hide their activity and control victims' devices.
According to South Korean cybersecurity firm Genians, the attackers used stolen Google account credentials harvested through spear-phishing or fake login pages to access victims' profiles on the Find My Device platform. This feature, which allows users to locate lost phones, lock them, or perform a factory reset, became an unwitting tool for sabotage. Once logged in, the hackers could trigger remote wipes, locking victims out of their own phones and destroying incriminating evidence of compromise.
The infection chain began with victims being approached via the popular South Korean messaging app KakaoTalk. Attackers sent files masquerading as benign content to victims, lured them into installing signed MSI attachments or ZIPs, and deployed AutoIT scripts that installed RATs such as RemcosRAT, QuasarRAT, and RftRAT. These tools harvested Google and Naver account credentials, enabling attackers to manipulate cloud services and use Find My Device to pull the plug.
Immediately after the reset, the attackers reportedly exploited the victim's still-logged-in KakaoTalk desktop app to send malware-laden files to the victim's contacts – effectively turning each compromised account into a secondary infection vector. This rapid follow-on phase allowed the KONNI operators to spread their payloads before targets could regain access to their wiped devices.
The attackers used the GPS location feature in Find My Device to identify when a target was outside and less likely to react quickly. In one incident, the attacker executed the wipe command not just once but three times, further delaying device recovery and ensuring the victim remained locked out.
This tactic underscores a growing risk for anyone relying on "lost device" features that are tied to online identity systems. While the ability to remotely reset a stolen phone is designed as a security safeguard, it also offers attackers an easy way to destroy evidence or cause disruption once account credentials are stolen.
KONNI's use of Android wiping follows years of more traditional espionage tactics, including Windows malware campaigns and phishing attacks designed to exfiltrate documents and credentials. The group has previously deployed custom backdoors disguised as North Korea policy papers or government forms, and has been observed overlapping infrastructure with other DPRK outfits, including Kimsuky.
Genians recommends that users of Find My Device tools enable multifactor or biometric authentication. For victims of KONNI's latest stunt, however, the damage is already done. Once a factory reset is triggered through Google's own service, there's no undo button – just a blank phone and the tidy handiwork of a state hacker covering their tracks.
This exploit highlights the need for users to be cautious when using cloud services that rely on online identity systems. By taking simple precautions such as enabling multifactor authentication, individuals can significantly reduce the risk of falling victim to such exploits.
In conclusion, North Korea's KONNI group has found a new way to destroy evidence by hijacking Google's Find My Device service. This exploit underscores the growing risk for anyone relying on "lost device" features that are tied to online identity systems. By taking simple precautions, individuals can significantly reduce the risk of falling victim to such exploits.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Koreas-Find-Hub-Exploit-How-Googles-Device-Management-Service-Became-a-Remote-Wipe-Tool-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/11/north_korean_spies_turn_googles/
https://www.bleepingcomputer.com/news/security/apt37-hackers-abuse-google-find-hub-in-android-data-wiping-attacks/
https://www.forbes.com/sites/alonzomartinez/2025/04/25/north-korean-hackers-pose-as-remote-workers-to-infiltrate-us-firms/
Published: Tue Nov 11 10:37:06 2025 by llama3.2 3B Q4_K_M
