North Korea-linked APT groups target South Korean defense contractors

Pierluigi Paganini April 23, 2024

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities.

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities to steal defense technology information.

North Korea-linked APT groups Lazarus, Andariel, and Kimsuky hacked multiple defense companies in South Korea, reported the National Police Agency.

The state-sponsored hackers hacked into the subcontractors of defense companies by exploiting vulnerabilities in the targeted systems and deployed malware.

“North Korean hacking organizations sometimes infiltrated defense companies directly, and their security is relatively low. Hacking into vulnerable defense industry partners and stealing the defense industry company’s server account information. Afterwards, it was discovered that threat actors had infiltrated major servers without permission and distributed malware.” reads the Police’s advisory shared by BleepingComputer.

The National Police Agency and the Defense Acquisition Program Administration (DAPA) conducted a series of special inspections of the environments of the targeted organizations.

The joint inspections occurred between January 15 and February 16 and impacted organizations implemented protective measures.

The Police states that the attacks are carried out in the form of an all-out war that see the contribution of multiple APT groups. The government experts warned that the attackers employed sophisticated hacking techniques.

The South Korea National Police Agency provided details of multiple attacks carried out by different APT groups.

In one case, the Lazarus APT group successfully breached an organization due poorly protected infrastructure. The group gained access to the network of a defense industry company since November 2022. The hackers deployed a malware and took control of the company’s internal network and exfiltrared important data from, including information stored on the computers of employees in the development team. The hackers breached at least 6 internal computers and stolen data were sent to overseas cloud servers

In a second case attributed to the Andariel APT group, threat actors used an account of an employee of a company that maintains the server of a defense industry company. The attackers stole the account in October 2022 and used it to deploy malware on the servers of defense subcontractors. The malware was used to exfiltrate technical data of valuable defense technology. The Police noticed that the employee was using the same password for personal and work accounts.

In a third attack linked to Kimsuky, the APT group exploited a vulnerability in the email server of a defense subcontractor between April and July 2023. Attackers exploited the flaw to download large files containing technical data without any authentication.

The National Police Agency recommends that defense companies and their subcontractors enhance their cybersecurity.

“North Korea’s hacking attempts targeting defense technology will continue.” concludes the advisory. “The National Police Agency will continue to track and investigate state-sponsored hacking organizations linked to North Korea.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, North Korea)

you might also like

leave a comment