VPN Flaw Origin of Latest Attack
On May 14, Kimsuky managed to penetrate the Korean Atomic Energy Research Institute’s VPN system. KAERI, headquartered in Daejeon, South Korea, only discovered the break-in on May 31. Next, the think tank blocked the attackers’ IP addresses and upgraded their system security. They also reported the intrusion to the government. Experts are still investigating the scale of the attack. The organization does not yet know whether the hackers stole any data. The breach involved 13 different IP addresses, all of which were abusing a VPN vulnerability to access KAERI’s internal network. Seoul-based cybersecurity firm IssueMakersLab traced some addresses back to Kimsuky, a cyber-focused North Korean military unit tasked to generate income for the regime. KAERI redacted the name of the VPN server vendor in the documents they presented to the press on Friday.
Hack Poses Serious Security Risks
“Currently, the researcher’s investigation into the hacking incident is in progress. Analysis shows that it is the work of a North Korean hacking group”, confirmed the Korean Atomic Energy Research Institute in a statement. “In this process, the researcher discovered a move to cover up the fact of the hacking.” On Friday, AKERI retracted a previous statement that “there was no hacking incident”. The organization said that this statement “was a mistake in the response of the working-level staff, which occurred in a situation where damage was not confirmed during investigation due to suspected infringement”. Ha Tae-keung, a member of the parliamentary intelligence committee warned that “the incident could pose serious security risks if any core information was leaked to North Korea”. Further, he added that some of the IP addresses allegedly used the email address of a former advisor to President Moon Jae-in. The email account was hacked in 2018.
North Korea’s Cyber Abilities
North Korea’s cyber abilities have really hit the main stage in the last five years. Of note are the wide range of cyberattacks against US, UK and EU companies and institutions. And several high-profile bank heists. Earlier this year, CNN reported that North Korean hackers stole approximately $316.4 million in virtual assets. Most of the stolen funds have gone into maintaining and upgrading Pyongyang’s nuclear and ballistic missile programs. In this regard, it is no surprise that organizations such as the Korean Atomic Energy Research Institute are high on the agenda of North Korean cyber-espionage groups. Historically, the Kimsuky PAT Group, also known as Thallium, Velvet Chollima or Black Banshee, has targeted government and university employees, human rights organizations, individuals that work in think tanks and many others. Most of their targets are based in the US, as well as Japan and South Korea.
Kimsuky’s Tactics, Techniques and Procedures
Several reports released in 2020 and 2021 clearly identify Kimsuky as a growing threat actor. In October, the US Cybersecurity & Infrastructure Security Agency released a report on the hacker group’s recent activities. It describes the tactics, techniques and procedures (TTPs) used by the APT Group against worldwide targets to gain intelligence. In December the Korea Internet & Security Agency (KISA) published their phishing target reconnaissance and attack resource analysis, providing details about the phishing infrastructure and TTPs Kimsuky used to specifically target South Korea. Earlier this month, the Malwarebytes Threat Intelligence team provided more insight in the victimology and phishing infrastructure Kimsuky operators used to target South Korean government officials. North Korea continues to deny any involvement in these and other cyberattacks. Meanwhile, the EU imposed sanctions on North Korean companies and individuals following their alleged involvement in high-profile cyberattacks. The FBI has also added three North Korean government hackers to their Cyber’s Most Wanted list in February this year.
One of the World’s Biggest
South Korea is one of the world’s biggest nuclear energy producing countries. The country currently ranks sixth. Russia, Japan, China, France and, at number one, the US are the five biggest producers. In 2017, however, South Korea took a completely new course when President Moon Jae came into power. He vowed to end the use of nuclear power and is determined to lead his country towards a nuclear-free era. Nonetheless, atomic energy research will continue. Nuclear applications are essential in a range of other fields other than power and weapons. Possible applications range from medicine to agriculture, food safety, forensics, industrial radiography, the analysis of artefacts, and more. KAERI, for example, developed the world’s first radiopharmaceutical “Milican Injection” almost twenty years ago today to treat liver cancer without medical surgery. In the Netherlands, the Delft University of Technology uses cold neutron research facilities provided by KAERI to develop new drugs and original technology in the fields of bioscience, nanotechnology, and new materials.