North Korea Targets S.Korean Defense Tech

The South Korean police have issued a warning about cyberattacks by North Korean hacker groups targeting defense industry enterprises to steal valuable technological information.

The police have documented several instances of successful breaches of South Korean defense companies by hacker groups Lazarus, Andariel, and Kimsuky, which are part of the “North Korean hacking apparatus.”

According to the announcement, the culprits infiltrated organizations by exploiting vulnerabilities in the target environments or their subcontractors to install malware capable of exfiltrating data.

Law enforcement previously conducted a special inspection from January 15 to February 16 and implemented protective measures to secure critical networks. During this operation, numerous companies that had been compromised since the end of 2022 were identified, although they were unaware of the breach until notified by the authorities.

The police described three instances of attacks, each linked to the mentioned hacker groups, employing various methods aimed at stealing defense technologies.

• Lazarus exploited poorly managed network systems intended for testing and penetrated the internal networks of a defense company from November 2022. Once inside, the hackers collected critical data stored on at least six computers of the firm and transferred it to a cloud server abroad.
• Andariel stole the account credentials of an employee from a company servicing subcontractors in the defense sector. Using the stolen account in October 2022, the cybercriminals installed malware on the subcontractors’ servers, resulting in the leakage of defense-technical data.
• Kimsuky exploited a vulnerability in a subcontractor’s mail server between April and July 2023, enabling the uploading of large files without authentication. This flaw was used to download and steal technical data from the company’s internal server.

The Korean police recommend that both defense companies and their subcontractors enhance network segmentation, periodically reset passwords, set up two-factor authentication on all critical accounts, and block access from abroad.