It was reported on Tuesday that the North Korean hacking groups have been mounting "all-out" cyberattacks against South Korean defence companies, infiltrating their internal networks and stealing their technical data over the past year, South Korean police said.
According to the police, a group of hackers, known as Lazarus, Kimsuky, and Andariel, who work directly or through contractors, planted malicious codes directly in the data systems of the defence companies, according to the authorities.
During the hacking process, state-sponsored hackers exploited vulnerabilities in the targeted systems of defence companies and installed malware to compromise their subcontractors. Even though the campaign lasted over a year, local reports claim that they managed to steal sensitive information from 10 of the 83 defence contractors and subcontractors that they targeted between October 2022 and July 2023.
According to KPNA, many of these companies were completely unaware that they were breached when they were contacted by the police, as it has been revealed that they were completely unaware that they were. A special inspection was conducted between January 15th and February 16th by the National Police Agency and the Defense Acquisition Program Administration, and protective measures were implemented to secure critical networks as a result of the inspection.
A special investigation of the company discovered that multiple companies had been compromised since late 2022, but they weren't aware until authorities informed them of the breach. Lazarus targeted a contractor, for example, in November 2022, who was cyber-aware enough to operate separate internal and external networks.
However, the hackers took advantage of their negligence when it came to managing the system linking the two. The hackers were able to breach an external network server, which was then infected by the hackers.
As the network connection system was down for a network test, they tunnelled through it and got inside the innards of the network while the defences were down.
To steal important information from the six employee computers, they began harvesting and exfiltrating data. It was not until police came along during the investigation that the defence companies were aware that they had been hacked.
While North Korea is a country that is isolated from the rest of the world, the country has extremely strong cybersecurity capabilities and has a history of launching successful attacks against global targets over the past few decades.
An attack on a Bangladesh central bank caused the loss of £64.6 million ($81 million) in addition to the detailed designs for a supersonic jet and a submarine, both of which would weigh three tons.
In several South Korean firms, weak cybersecurity practices have enabled North Koreans to succeed in attacking their employees’ systems, with employees using the same password to access both their professional and personal accounts.
Additionally, Andariel obtained login information, starting around October 2022, from an employee of a company which was responsible for the remote maintenance of the defence contractor in question.
Infecting the company's servers with malware and exfiltrating data regarding defence technology, infected the company's servers using the hijacked account.
A police investigation also revealed an incident that took place between April and July 2023, when Kimsuky exploited the groupware email server of a partner company of a defence firm. By exploiting a vulnerability, an attacker could download large files that were sent internally via email, allowing an unauthorized attacker to download them.
A security breach committed by subcontractor employees who used the same password for their official and personal email accounts, as well as the hacker's ability to gain access to defence business networks and extract sensitive technical data, was utilized by the hackers. Police officers have not disclosed the nature of the compromised data and the names of the companies responsible.
Since the signing of contracts worth billions of dollars to supply mechanized howitzers, tanks, and fighter jets in the last few years, South Korea has gained a significant place as a leading global defence supplier. It has been reported that North Korean hacking gangs gained access to global defence corporations' networks, in addition to those of South Korean financial institutions, news outlets, as well as South Korea's nuclear power operator in 2014, as a result of a significant security breach.
There has been widespread speculation that North Korean hackers have been responsible for large-scale thefts of Bitcoin, which subsequently allowed them to finance their weapons development with the proceeds. The North Korean government denies any involvement with cyberattacks or cryptocurrency thefts carried out by other countries.