Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).

3 Min Read
North and South Korea flags beside each other
Source: Steve Allen Travel Photography via Alamy Stock Photo

North Korea's premiere advanced persistent threats (APTs) have been quietly spying on South Korean defense contractors for at least a year and a half, infiltrating some 10 organizations.

South Korean police this week released the findings of an investigation that uncovered concurrent espionage campaigns carried out by Andariel (aka Onyx Sleet, Silent Chollima, Plutonium), Kimsuky (aka APT 43, Thallium, Velvet Chollima, Black Banshee), and the broader Lazarus Group. Law enforcement did not name the victim defense organizations nor provide details on the stolen data.

The announcement comes one day after North Korea conducted its first-ever drill simulating a nuclear counterattack.

DPRK APTs Persist

Few countries are so aware of cyber threats from foreign nation-states as South Korea, and few industries so aware as military and defense. And yet, Kim's best always seem to find a way.

"APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter," laments Mr. Ngoc Bui, cybersecurity expert at Menlo Security. "If an APT or actor is highly motivated, there are few barriers that can't eventually be overcome."

In November 2022, for instance, Lazarus targeted a contractor which was cyber aware enough to operate separate internal and external networks. However, the hackers took advantage of their negligence in managing the system connecting the two. First, the hackers breached and infected an external network server. While defenses were down for a network test, they tunneled through the network connection system and into the innards. They then began harvesting and exfiltrating "important data" from six employee computers.

In another case beginning around October 2022, Andariel obtained login information belonging to an employee of a company that performed remote IT maintenance for one of the defense contractors in question. Using the hijacked account, it infected the company's servers with malware and exfiltrated data relating to defense technologies.

Police also highlighted an incident that lasted from April to July 2023, in which Kimsuky exploited the groupware email server used by one defense firm's partner company. A vulnerability allowed the unauthorized attackers to download large files that'd been sent internally via email.

Snuffing Out Lazarus

Of use to authorities, Bui explains, is that "DPRK groups such as Lazarus frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor."

The perpetrators behind each of the defense breaches were identified thanks to the malware they deployed post-compromise — including the Nukesped and Tiger remote access Trojans (RATs) — as well as their architecture and IP addresses. Notably, some of those IPs traced to Shenyang, China, and a 2014 attack against the Korea Hydro & Nuclear Power Co.

"North Korea's hacking attempts targeting defense technology are expected to continue," the Korean National Police Agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, cordon off internal from external networks, and block access to sensitive resources for unauthorized and unnecessary foreign IP addresses.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights