DPRK Hacking Groups Breach South Korean Defense Contractors


The National Police Agency in South Korea has issued an urgent warning regarding ongoing cyberattacks targeting defense industry entities by North Korean hacking groups. The police discovered several instances of successful breaches involving the hacking groups Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus.

The police report highlighted specific cases involving each hacking group, showcasing the diverse nature of the attacks aimed at stealing defense tech. For instance, Lazarus hackers infiltrated a defense company's internal networks by exploiting poorly managed network connection systems designed for testing. This breach occurred in November 2022, and critical data from at least six computers was exfiltrated to a cloud server located abroad. In another attack attributed to the Andariel group, account information was stolen from an employee of a maintenance company that serviced defense subcontractors. Using these stolen credentials in October 2022, the attackers implanted malware on subcontractors' servers, leading to significant leaks of defense-related technical data. This infiltration was exacerbated by employees using the same passwords for personal and work accounts, highlighting a common security vulnerability. Additionally, the Kimsuky group exploited a vulnerability in the email server of a defense subcontractor between April and July 2023. This vulnerability allowed the group to download large files without authentication, facilitating the theft of substantial technical data from the company's internal server.

Security Officer Comments:
These attacks involved sophisticated methods aimed at stealing valuable technology information. According to the announcement, the attackers exploited vulnerabilities in the targets' or their subcontractors' environments to plant malware capable of exfiltrating data. The special operation conducted by the National Police Agency and the Defense Acquisition Program Administration earlier this year discovered multiple companies that had been compromised since late 2022. However, these companies were unaware of the breaches until authorities informed them.

Suggested Corrections:
The Korean police recommend both defense companies and their subcontractors improve network security segmentation, issue periodic password resets, set up two-factor authentication on all critical accounts, and block foreign IP accesses.

Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.