View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 22, 2021updated 08 Jul 2022 11:07am

North Korea is ramping up cyberattacks on South Korean targets

Breach at nuclear research institution is the latest in a string of hacks on public sector targets.

By Claudia Glover

South Korean nuclear research body the Korean Atomic Energy Research Institute (KAERI) has revealed it was hacked by North Korean advanced persistent threat (APT) group Kimsuky. It is the latest in a string of attacks on South Korean government targets and national infrastructure orchestrated by Kimsuky and other state-backed APT groups from North Korea, as its government seeks to disrupt its neighbour.

North Korea cyber attacks on South Korea

State-backed hacking gangs from North Korea have been stepping up their cyberattacks on targets in the South. (Photo by Astrelok/Shutterstock)

In a statement, KAERI said it had been hacked through a VPN system vulnerability, claiming “the attacker IP is now blocked and the VPN system security update is applied”. The damage from the hack is as yet unknown. If Kimsuky has leaked vital information to the DPRK there could be serious national security implications for South Korea. Representative Ha Tae-keung of the People Power Party, South Korea’s main opposition party said: “If the state’s key technologies on nuclear energy have been leaked to North Korea, it could be the country’s biggest security breach, almost the same level as a hacking attack by the North into the defence ministry in 2016.”

North Korean cyberattacks on South Korea: What is Kimsuky?

Kimsuky, also known as Velvet Chollima, was first spotted by security company Kaspersky in 2013. “They are a geopolitically motivated APT group primarily targeting the Korean Peninsula,” explains Seongsu Park, senior security researcher at Kaspersky. “The Kimsuky has a solid motivation for collecting political and diplomatic intelligence, but occasionally they shift their target to financial industries. Until recently, they are very active and attacked lots of entities with several clusters.”

The group has favoured malware called the “AppleSeed backdoor” recently, which it used in the attack on the KAERI. “The Kimsuky group delivers AppleSeed with various methods and file formats and decoy document that contains geopolitical issues,” explains Park. “It has simple functionalities to control infected hosts. Using this malware, the actor can exfiltrate the data and additional implant malware.”

How did Kimsuky get into the system?

The APT group infiltrated KAERI’s system through a VPN. “VPNs are a big vulnerability because a lot of corporations think that using one is going to solve their security problems, when in fact it is just another threat vector these days,” says Darren Williams, CEO and co-founder of security company Blackfog.

With the proliferation of remote working driven by the Covid-19 pandemic, VPNs have become more widely used than ever and also a bigger target for hackers. “It’s great for the attackers because it’s a centralised way to grab data from corporations, as now [all users] are tunnelling through exactly the same connection,” Williams says. “So if you can get on the back of that, then you can pretty much steal anything within the corporation, so it’s interesting that the Kimsuky focuses on that.”

Why North Korean gangs are increasingly targeting South Korea

This attack is the latest in a string of attacks perpetrated by threat actors allegedly based in North Korea. Cybersecurity company Malwarebytes says Kimsuky alone has attempted to hack devices belonging to high-ranking officials such as the Minister of Foreign Affairs and the country’s trade minister in recent months. Non-government targets have also included Seoul National University and the Daishin financial security company.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

North Korean actors are suspected to have launched an average of 1.5 million cyberattacks a day against the public sector in South Korea during 2020, including financial and infrastructure targets, according to South Korean government sources quoted by the Singapore-based news outlet The Straits Times. This is up from 410,000 a day in 2016, and Blackfog’s Williams says more hacking groups are being co-opted by the North Korean government as part of a campaign against the country’s neighbour in the South. “I guess they’re forcing [hackers] to do this just to put food on the table,” Williams says. “They’re being very targeted at what they do try and achieve.”

This is not the first North Korean attack on nuclear infrastructure. In October 2019 the Lazerus group, another APT group believed to be operating on behalf of the North Korean government, hacked the Kudankulam nuclear power plant in India, in the southern state of Tamil Nadu. On that occasion, the offending machine was quickly identified and isolated.

Describing the latest reported breach as “troubling”, Steve Forbes, government cybersecurity expert at Nominet, says the implications could be severe. “With North Korea’s nuclear ambitions well known, this breach could have serious consequences on global security if South Korean nuclear intelligence is compromised,” Forbes says.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.