There have been warnings from South Korea's cybersecurity authorities regarding North Korea's attempts to hack into construction and machinery websites to steal data for their development projects.
During the past year, the number of hacking attempts by North Korea by trying to steal this kind of information has increased by about 50 per cent, said the Korea Cybersecurity Intelligence Community, which is made up of the main spy agency, the prosecution service, the police, and the military.
It is believed that hackers from the North of the country exploited a "watering hole" method of infecting websites that are frequently visited by users, and then using malicious codes to gain access to sensitive information on those sites, primarily from the Google search engine.
It was reported on Monday that South Korean security agencies had issued a joint warning about North Korean hackers actively trying to steal data related to construction projects and technological advancements in the country.
In a report by Korea Times, the Korean Cybersecurity Intelligence Community, which includes intelligence agencies, prosecutor's offices, police departments, and the military, has provided a warning about the threat that involves cyberattacks on their network.
It has been reported that North Korean hackers are using stolen data to build factories and develop infrastructure back home so that they can develop the economy of their country. Recently, North Korean groups have been increasingly attempting to steal such information to gain an advantage over other countries.
According to official data, hackers are exploiting the "watering hole" technique, which involves introducing malware into frequently visited websites and embedding malicious code into the pages, allowing them to collect information via these sites. The purpose of this method is to target a wide variety of victims, making it one of the most dangerous methods on the market.
It was Kimsuky, a group based in North Korea, that made the malware appear to be distributed in South Korea through the website of an association that works in the construction industry in January of this year, the authorities said.
It appears that the malware was hidden within the security software that was used to log into the website, which caused the computer systems of local governments, public institutions, and construction companies that accessed the website to become infected with the malware.
As reported by the authorities, North Korean hackers were searching for such information to assist in building plants and developing cities for their country.
An attack on the professional association's site is thought to have exploited a vulnerable file-uploading feature to alter the software used to authenticate users and disrupt the security system. This operation appears to have been "meticulously planned" by the attackers.
“It is believed that the hackers were trying to use the compromised credentials of officials in the construction sector, which had been compromised, as a means of stealing crucial information about major construction projects and technical data from companies involved in the projects,” the KCIC expressed.
A second example of this occurred in April when a northern Korean hacker group called Andariel exploited the vulnerabilities of VPN security software used by targeted construction and machinery companies by replacing update files in their systems with malware, to gain access to their data.
Besides exploiting vulnerabilities in VPN products, Andariel also exploited weaknesses in server security products to compromise the server network.
A "regional development 20+10 policy" was introduced by North Korea earlier this year, and the purpose of this policy is to establish industrial factories in at least 20 counties per year for the next ten years.
It was found that the threat actors were capable of distributing remote control malware known as DoraRAT, as they intended to use it to upload large machine and equipment-related design files to the C2 server using DoraRAT, the South Korean spy agency reported.
This is a list of some of the North Korean hacker groups, such as Kimsuky and Andariel, that are working to fill its coffers and advance the regime's geopolitical agenda through malicious online activity, such as cyber espionage and attacks on cryptocurrency exchanges.
In a recent cybersecurity alert, authorities have identified the use of remote control malware known as DoraRAT, which was employed in a cyberattack. This malware is described as simple and lightweight, designed primarily for basic functions such as file upload/download and command execution.
DoraRAT was distributed through a watering hole technique, which significantly increased its exposure to potential targets. Compared to more advanced Advanced Persistent Threat (APT) malware, DoraRAT offers minimal functionality. However, a more concerning variant has been discovered, with the capability to exfiltrate large files, particularly those related to machinery and equipment design.
The advisory further highlights that the cyber group Andariel exploited vulnerabilities in server security products.
This exploitation underscores a worrying trend of targeting IT management software, which often possesses high-level access and control, making it a prime target for mass infections.
This latest advisory follows a similar warning issued earlier in July by U.S., British, and South Korean government agencies. In that advisory, Andariel was accused of targeting the defence, aerospace, and energy sectors of these nations, to steal nuclear and military technologies. The stolen information is believed to be intended to further the military and nuclear ambitions of the North Korean regime under Kim Jong Un.
Government officials have expressed concern that in recent years, the Andariel group has been actively seeking classified technical information related to various military systems. These systems include battle tanks, artillery guns, small combat ships, submarines, underwater vehicles, fighter aircraft, and satellites.
The objective of acquiring this information appears to be the enhancement of North Korea's weapons development capabilities.
Additionally, cybersecurity firm Zscaler has attributed a separate cyber campaign to the North Korean group Kimsuky. Since March, Kimsuky has reportedly been using a malicious Google Chrome extension to exfiltrate sensitive information from South Korean academic institutions.
These institutions are primarily engaged in research on North Korean affairs, making them valuable targets for cyber espionage activities.
The persistence of these cyber threats highlights the ongoing challenges faced by nations in safeguarding critical infrastructure and sensitive information from state-sponsored cyberattacks.