North Korean APT group Kimsuky allegedly hacked South Korea’s atomic research agency KAERI

North Korea-linked APT group Kimsuky allegedly breached South Korea’s atomic research agency KAERI by exploiting a VPN vulnerability.

South Korean representatives declared on Friday that North Korea-linked APT group Kimsuky is believed to have breached the internal network of the South Korean Atomic Energy Research Institute (KAERI).

The Korea Atomic Energy Research Institute (KAERI) in Daejeon, South Korea was established in 1959 as the sole professional research-oriented institute for nuclear power in South Korea.

The security breach took place on on May 14, and the institute discovered it only on May 31, then the research institute reported the incident to the government and launched an investigation.

The investigation into the intrusion revealed the involvement of 13 internet addresses including one traced to the Kimsuky APt group.

“The breach of the Korea Atomic Energy Research Institute (KAERI) took place on May 14 involving 13 internet addresses including one traced to Kimsuky, said Ha Tae-keung, a member of the parliamentary intelligence committee, citing an analysis by Seoul-based cybersecurity firm IssueMakersLab.” reported the Reuters.

“The incident could pose serious security risks if any core information was leaked to North Korea, as KAERI is the country’s largest think tank studying nuclear technology including reactors and fuel rods,” Ha Tae-keung said in a statement.

A KAERI spokesperson revealed that threat actors exploited a vulnerability in a virtual private network (VPN) server to gain access to the network of the institute.

“The Korea Atomic Energy Research Institute checked the history of access to some systems by unknown outsiders through the VPN system vulnerability. In accordance with this, the attacker IP is blocked and the VPN system security update is applied.” reads a statement published by the agency. Currently, the Atomic Energy Research Institute is investigating the subject of the hacking and the amount of damage, etc. ㅇ The statement that “there was no hacking incident” was a mistake in the response of the working-level staff, which occurred in a situation where damage was not confirmed during investigation due to suspected infringement.”

The South Korean authorities did not reveal which VPN vendor was targeted by the threat actors.

“The name of the VPN server vendor was redacted in documents presented to South Korean press today at a KAERI press conference.” reported The Record.

North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was first spotted by Kaspersky researcher in 2013.

At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information of their TTPs and infrastructure.

The APT group mainly targeting think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

Early this month, researchers from Malwarebytes published a report on the Kimsuky APT’s operations aimed at South Korean government. The North Korea-linked threat actors are conducting spear-phishing attacks to deliver using the AppleSeed backdoor into the network of its targets.

According to data collected by Malwarebytes, targets associated with the Korean government include:

• Ministry of Foreign Affairs, Republic of Korea 1st Secretary
• Ministry of Foreign Affairs, Republic of Korea 2nd Secretary
• Trade Minister
• Deputy Consul General at Korean Consulate General in Hong Kong
• International Atomic Energy Agency (IAEA) Nuclear Security Officer
• Ambassador of the Embassy of Sri Lanka to the State
• Ministry of Foreign Affairs and Trade counselor

On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.

Despite the suspects for the involvement of the North Korea in the attack, the Reuters agency reported that an official at the science and technology ministry, which is leading the investigation, said it had not found evidence to attribute the intrusion to North Korea.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]