South Korean defense companies fall victim to North Korean cyber attacks
The extent of damage is unknown until the police investigation
Presumed to be directed by Kim Jong Un
The National Security Investigation Division of the Korean National Police Agency’s National Office of Investigation collaborated with the National Cyber Crisis Management Department in an investigation. On the 23rd, they announced that they had confirmed North Korean hacking groups Lazarus, Andariel, and Kimsuky had jointly launched cyber attacks for the past year and a half, intending to steal domestic defense technology.
The police revealed that about ten domestic defense companies had been hacked based on the flow of North Korean hacking, confirmed intelligence, and shared cyber threat information between related agencies.
They also identified North Korean hacking attacks based on the IP addresses and malware used for hacking, which were used to exploit software vulnerabilities and build transit servers.
Among the 83 domestic defense companies, some of the victims were identified with specific IP records near Shenyang, China, which were the same as those used in the attack on Korea Hydro & Nuclear Power in 2014.
North Korean hacking groups mainly hacked defense companies directly, but there were cases where they gradually approached defense cooperation companies with relatively weak security.
North Korea’s method was to hack the cooperating companies, steal the server and account information of the defense companies, and then infiltrate the server without permission to distribute malware and steal information.
According to the police, the North Korean hacking group Lazarus accessed a defense company’s external server in November 2022, infected it with malware, and then took control of the company’s internal network using the open port of the network connection system for testing purposes.
They then collected confidential and vital data from six internal network computers, including the development team’s computers, and moved it to an overseas cloud server.
Most attacked companies were unaware of the damage until the police investigation, raising questions about defense companies’ overall lax security management.
In the case of Andariel, around October 2022, they investigated the account information of a second company, which remotely maintains and supports Defense Cooperative Companies like the third company. Subsequently, they planted malware into the third company’s and others’ servers to steal defense technology data.
Andariel found the second company’s employee’s personal and commercial email account information and then accessed the company email. Kimsuky used a method to exploit a vulnerability that allowed large files to be downloaded from the server of Defense Cooperative Company D without email login from April to July 2023.
The police confirmed that there had been hacking attacks for a long time through this investigation, but it was difficult to grasp the specific scale of damage and the period of the crime.
The police explained that North Korea had carried out attacks in full force using multiple hacking organizations to extract domestic defense technology. It is presumed to have followed specific instructions from North Korea’s Chairman of the State Affairs Commission, Kim Jong Un.
Meanwhile, no investigations have been conducted into allegations of communication with North Korea related to the hacking of defense companies or negligence in maintaining security.
The National Office of Investigation conducted a joint inspection with the Defense Acquisition Program Administration and the National Intelligence Service targeting defense companies in January and February of this year and took preventive measures.
Most Commented