North Korea’s major advanced persistent threats (APTs) have been silently spying on South Korean defense contractors for at least a year and a half, infiltrating about 10 organizations.
South Korean police released this week the results of an investigation which uncovered simultaneous espionage campaigns carried out by Andariel (aka Onyx Sleet, Silent Chollima, Plutonium), Kimsuky (aka APT 43, Tallium, Velvet Chollima, Black Banshee) and the larger Lazarus Group. Law enforcement did not name victim advocacy organizations or provide details about the stolen data.
The announcement comes a day after North Korea conducted its own first ever exercise simulating a nuclear counterattack.
DPRK APTs persist
Few countries are as aware of cyber threats from foreign nation-states as South Korea, and few industries are as aware as the military and defense. Yet Kim is the best he always seems to find a way.
“APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter,” laments Ngoc Bui, cybersecurity expert at Menlo Security. “If an APT or actor is highly motivated, there are few obstacles that cannot ultimately be overcome.”
In November 2022, for example, Lazarus targeted a contractor that was cyber-aware enough to operate separate internal and external networks. However, hackers took advantage of their negligence in managing the system connecting the two. First, the hackers hacked and infected an external network server. While the defenses were down for a network test, they managed to tunnel through the network connection system and into the bowels. They then began collecting and exfiltrating “important data” from the computers of six employees.
In another case that began around October 2022, Andariel obtained the login information of an employee of a company that performed remote computer maintenance for one of the defense contractors in question. Using the hacked account, he infected the company’s servers with malware and exfiltrated data related to defense technologies.
Police also highlighted an incident spanning from April to July 2023, in which Kimsuky exploited the groupware email server used by a defense firm’s partner company. A vulnerability allowed unauthorized attackers to download large files sent internally via email.
Extinguish Lazarus
It is helpful to the authorities, explains Bui, that “DPRK groups like Lazarus often reuse not only their malware but also their network infrastructure, which can represent both a vulnerability and a strength in their operations. Their OPSEC failures and infrastructure reuse, combined with innovative tactics such as corporate infiltration, make them particularly intriguing to monitor.”
The perpetrators of each defense breach were identified through the malware deployed after the compromise, including the Nukesped and Tiger remote access Trojans (RATs), as well as their architecture and IP addresses. Notably, some of this IP dates back to Shenyang, China, and a 2014 attack on Korea Hydro & Nuclear Power Co.
“North Korea’s hacking attempts against defense technology are expected to continue,” Korea’s national police agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, isolate internal networks from external networks, and block access to sensitive resources by addresses Unauthorized and unnecessary foreign IPs.