North Korean Hackers Have Been Exploiting South Korean Defense Companies for Nearly Two Years

by | May 6, 2024

Lazarus and the other state-sponsored North Korean hacking teams have made news repeatedly over the past two years for their huge crypto thefts, exploiting DeFi platforms for hundreds of millions of dollars at a time. The North Korean hackers have had another major project during this time that has remained quiet until now: penetrating South Korea’s defense companies, which have become major global suppliers of military hardware, and stealing sensitive data about munitions and vehicles.

A report issued by South Korea’s National Police Agency indicates that the “big three” of North Korean hackers have all been involved in this project since at least late 2022: Lazarus, Kimsuky and Anadriel. They have also used a variety of techniques to penetrate the defense companies, from timing an attack during a temporary security shutdown to locating subcontractor credentials shared between personal and work devices.

Secrets of South Korean defense companies raided for North Korean weapons production

The report attributes the attacks to North Korean hackers with high confidence based on their previously observed tactics, malware and architecture. Recent developments in North Korean munitions also seem to reflect the theft of technology from their neighbors to the south. These groups have also been linked to attacks on South Korean defense companies in the past, most recently attacks in 2023 that led to the theft of information on submarines and the country’s first domestic supersonic fighter jet.

While North Korea is often stereotyped as a backward country, its APT groups are among the world’s most advanced and dangerous. The government relies heavily on them for theft of money, cryptocurrency and salable secrets given the economic restrictions put on it by the rest of the world. Children that show promise with cyber skills are pulled out of the country’s regular schools and placed in a six-year training program designed to make nation-state hackers out of them.

North Korean hackers lurked in South Korean systems for well over a year

The report does not name specific defense companies that were breached, but there is a relatively short list that would be of interest. It did describe some of the tactics the North Korean hackers used, with each of the three APT groups using different approaches.

One of the groups apparently had inside information on when one of the defense companies would be conducting an internal network test that temporarily required it to disable security. They used this window to exploit incorrectly managed network connection systems. Another exploited an employee of a subcontractor that had apparently been using the same credentials for his personal and work logins. And the third group also attacked a subcontractor, but found an unaddressed vulnerability in its email server that allowed it to access large file attachments without authentication.

The first of these incidents took place in late 2022, but the North Korean hackers were able to hide their activity until a special investigation was conducted earlier this year.

Recent Posts

How can we help?

13 + 7 =

× How can I help you?