hankyoreh

(ClipartKorea)

South Korean police found evidence pointing to a concerted attack against defense industry companies by North Korean hacking organizations including the Lazarus Group in order to obtain defense technology.

The police also said the methods of attack had been varied, with numerous hacking organizations mobilized to target not only defense companies but also other businesses in partnership and outsourcing relationships with them.

The National Police Agency's national investigation headquarters announced Monday that it had confirmed an attack by North Korean hacking organizations including Lazarus, Andariel and Kimsuky, which were found to have targeted around 10 South Korean defense contractors and obtained defense technology.

The organizations were determined to have entered key defense company servers to plant malicious code, either by directly infiltrating the companies or by hacking partner and outsourcing businesses with relatively vulnerable security.

Based on factors such as IP addresses, routing methods, and types of code, the police determined that North Korean hacking organizations were responsible for the attack.

With some of the companies having been totally unaware of the hacking at the time a special inspection was initiated in January, some are suggesting the acquisition of technology by North Korea might have continued for some time.

The dates established by police for North Korea’s seizure of technology were between the months of October to November in 2022 and April to July in 2023. The police also explained that they could only speculate about when the information was seized and that the specific attack period could not be established.

But an official with the police said the malicious code was “still active when the investigation was launched,” adding that “we may have only detected the tip of the iceberg.”

North Korea’s methods in carrying out the attack to steal South Korean defense industry technology were varied, with partner and outsourcing businesses also targeted.

Lazarus used an approach of hacking into its target company’s external internet server to plant the code and infiltrate the company’s internal network. The investigation found that this method had been used to move key data to an overseas cloud from six computers, including ones belonging to development team staff.

Andariel, which mainly stole military technology, gained access by gaining control of the regular Naver and Kakao email accounts of staff at outsourcing businesses conducting maintenance and repairs on defense industry partner company servers. In this case, it exploited the fact that some staff members used the same ID and password for their personal email and their work account at the company in question.

Kimsuky, the most well-known of North Korea’s hacking organizations, intercepted information by taking advantage of weaknesses in partner companies’ groupware email servers.

An official with the police said this was “the first instance we’ve found of North Korean hacking organizations — which have been known in the past to divide up duties — waging a coordinated all-out attack with the common goal of seizing defense industry technology.”

Historically, Kimsuky has been known to mainly target government organizations and politicians, while Lazarus and Andariel have respectively targeted financial institutions and defense institutions. Police also determined Lazarus to have spearheaded a recently confirmed infiltration of computer networks in the judiciary.

By Lee Ji-hye, staff reporter

Please direct questions or comments to [english@hani.co.kr]