South Korean nuclear research body the Korean Atomic Energy Research Institute (KAERI) has revealed it was hacked by North Korean advanced persistent threat (APT) group Kimsuky. It is the latest in a string of attacks on South Korean government targets and national infrastructure orchestrated by Kimsuky and other state-backed APT groups from North Korea, as its government seeks to disrupt its neighbour.
In a statement, KAERI said it had been hacked through a VPN system vulnerability, claiming “the attacker IP is now blocked and the VPN system security update is applied”. The damage from the hack is as yet unknown. If Kimsuky has leaked vital information to the DPRK there could be serious national security implications for South Korea. Representative Ha Tae-keung of the People Power Party, South Korea’s main opposition party said: “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest security breach, almost the same level as a hacking attack by the North into the defence ministry in 2016.”
North Korean cyberattacks on South Korea: What is Kimsuky?
Kimsuky, also known as Velvet Chollima, was first spotted by security company Kaspersky in 2013. “They are a geopolitically motivated APT group primarily targeting the Korean Peninsula,” explains Seongsu Park, senior security researcher at Kaspersky. “The Kimsuky has a solid motivation for collecting political and diplomatic intelligence, but occasionally they shift their target to financial industries. Until recently, they are very active and attacked lots of entities with several clusters.”
The group has favoured malware called the “AppleSeed backdoor” recently, which it used in the attack on the KAERI. “The Kimsuky group delivers AppleSeed with various methods and file formats and decoy document that contains geopolitical issues,” explains Park. “It has simple functionalities to control infected hosts. Using this malware, the actor can exfiltrate the data and additional implant malware.”
How did Kimsuky get into the system?
The APT group infiltrated KAERI’s system through a VPN. “VPNs are a big vulnerability because a lot of corporations think that using one is going to solve their security problems, when in fact it is just another threat vector these days,” says Darren Williams, CEO and co-founder of security company Blackfog.
With the proliferation of remote working driven by the Covid-19 pandemic, VPNs have become more widely used than ever and also a bigger target for hackers. “It’s great for the attackers because it’s a centralised way to grab data from corporations, as now [all users] are tunnelling through exactly the same connection,” Williams says. “So if you can get on the back of that, then you can pretty much steal anything within the corporation, so it’s interesting that the Kimsuky focuses on that.”
Why North Korean gangs are increasingly targeting South Korea
This attack is the latest in a string of attacks perpetrated by threat actors allegedly based in North Korea. Cybersecurity company Malwarebytes says Kimsuky alone has attempted to hack devices belonging to high-ranking officials such as the Minister of Foreign Affairs and the country’s trade minister in recent months. Non-government targets have also included Seoul National University and the Daishin financial security company.
North Korean actors are suspected to have launched an average of 1.5 million cyberattacks a day against the public sector in South Korea during 2020, including financial and infrastructure targets, according to South Korean government sources quoted by the Singapore-based news outlet The Straits Times. This is up from 410,000 a day in 2016, and Blackfog’s Williams says more hacking groups are being co-opted by the North Korean government as part of a campaign against the country’s neighbour in the South. “I guess they’re forcing [hackers] to do this just to put food on the table,” Williams says. “They’re being very targeted at what they do try and achieve.”
This is not the first North Korean attack on nuclear infrastructure. In October 2019 the Lazerus group, another APT group believed to be operating on behalf of the North Korean government, hacked the Kudankulam nuclear power plant in India, in the southern state of Tamil Nadu. On that occasion, the offending machine was quickly identified and isolated.
Describing the latest reported breach as “troubling”, Steve Forbes, government cybersecurity expert at Nominet, says the implications could be severe. “With North Korea’s nuclear ambitions well known, this breach could have serious consequences on global security if South Korean nuclear intelligence is compromised,” Forbes says.