North Korea hackers breached the South Korean Atomic Energy Research Institute (KAERI) using a virtual private network (VPN) flaw, a member of the South Korean parliamentary committee on intelligence disclosed.
The breach was discovered on May 31 and reported earlier this month by the South Korean media Sisa Journal.
KAERI is a government-funded institute researching the application of nuclear power in the country, including reactors and fuel rods.
The state-run institution initially tried to cover up the security breach but later apologized in a press conference, attributing the mistake to “working-level staff.”
No information regarding the VPN vulnerability exploited by North Korea hackers was available.
The opposition member of the intelligence committee Ha Tae-Keung said that the breach posed serious security risks if any information leaked to North Korea.
Kimsuky was responsible for hacking the South Korea Atomic Research Institute
South Korean cybersecurity experts traced the May 14 hacking incident to 13 IP addresses, including one used by state-backed hackers Kimsuky.
The group, also known as Velvet Chollima, HIDDEN COBRA, Black Banshee, or Thallium, operates under the North Korean Reconnaissance General Bureau intelligence agency.
Malwarebytes attributed the group to the AppleSeed trojan recently targeting high-profile government officials.
The U.S. Homeland Security’s Cyber and Infrastructure Security Agency (CISA) had also warned in October 2020 that Pyongyang had unleashed Kimsuky on a global intelligence-gathering mission.
The advanced persistent threat actor mostly targets the United States, South Korea, and Japan. It extracts intelligence on foreign policy and national issues regarding the Korean Peninsula, nuclear policy, and sanctions.
The cybersecurity firm IssueMakersLab said North Korea hackers sought access to South Korean government and education systems “on a daily basis.”
Reuters reported that North Korea hackers executed similar cyber attacks against several South Korean banks, a nuclear reactor, and the defense ministry in 2016.
China’s Sejong Institute, South Korea’s Ministry of Unification, and the Korea Institute for Defense Analyses (KIDA) also experienced Kimsuky’s intrusion.
North Korea hackers exploited an undisclosed VPN vulnerability
South Korean state officials did not disclose which VPN vulnerability was exploited by North Korea hackers. However, the institute assured the public that it had successfully blocked the implicated IP address and patched the VPN vulnerability.
Most popular VPN systems such as Fortinet FortiOS, Pulse Secure Connect, SonicWall, and Citrix have each suffered at least one critical VPN vulnerability exploited by Russian, Chinese, Iran, or North Korea hackers.
Pulse Secure VPN vulnerability CVE-2021-22893 with a CVSS score of 10 was used by politically-motivated threat actors to breach European and U.S. defense networks.
The use of a VPN vulnerability to gain initial access could signal a major shift in Kimsuky’s operations which usually rely on spear-phishing and social engineering methods.
“Attacks such as these remain an unsolved problem because everyone focuses on post-mortem rather than catching it early,” says Saumitra Das, CTO and Cofounder at Blue Hexagon. “In recent months, there has been an increased use of attacking the ‘security supply chain’ by leveraging CVEs in security vendor appliance software.”
Das adds that VPNs, firewalls, email gateways are frequently used to compromise users and maintain persistence.
Additionally, he noted that prevention-based techniques usually fail to prevent such attacks thus making early detection and incident response important.
“Colonial Pipelines was the ‘canary in the coal mine’ for the rest of the world to understand how vulnerable our key infrastructure components are to cyberattacks,” says Garret Grajek, CEO, YouAttest. “It’s not enough just to meet compliance – we have to start ensuring our efforts for meeting compliance are also meeting real security objectives.”
He noted that threat actors frequently scanned all systems for security vulnerabilities. According to Grajek, key infrastructure such as energy and water were lucrative targets for cyberattacks.
“It’s time to assume that the attackers will find a vulnerability and then gain an opening into our systems. What privileges have we granted remote users, what access do they had granted, have much damage can a rogue use do if they have access? This is where zero trust comes in and the auditing behind it,” Grajek said.