North Korean hacker working with laptop showing attack on defense companies

State-Sponsored North Korean Hackers Penetrated South Korean Defense Companies, Stole Sensitive Technical Data

South Korea’s National Police Agency has revealed that state-sponsored North Korean hackers have been waging an all-out espionage campaign against the country’s defense companies since at least 2022, and have lurked in the networks of some targets for over a year.

The incident involves at least three of the top state-affiliated teams of North Korean hackers: Lazarus, Anadriel and Kimsuky. The first of these breaches took place in 2022, and the APT groups have reportedly been feasting on subcontractors of the defense companies that have weak security practices.

North Korean hackers heavily targeted South Korean defense contractors

The North Korean hackers have been looking to quietly penetrate defense companies and dwell for long periods, extracting as much sensitive technical information as possible. The report does not name the specific companies that were breached, but the country has numerous manufacturers and global exporters of military hardware such as jets and tanks.

South Korean police say that the North Korean hackers were identified by known IP addresses, architecture and malware previously linked to these groups. The first known breach in this campaign took place in November 2022, when one of the unnamed defense companies had its intranet compromised during a routine network test that requires security software to be shut off temporarily.

The North Korean hackers seem to have detailed knowledge of the internal practices of these defense companies, but at times simply hacked their way in via a vulnerable contractor with poor security hygiene. In some cases, employees of subcontractors re-used credentials for both their personal and work email accounts.

Though the North Korean hackers have been working at this since at least late 2022, the campaign was not discovered until a special inspection was conducted by the National Police Agency and the Defense Acquisition Program Administration from mid-January to mid-February of this year. The agencies discovered multiple defense companies that had been compromised without anyone inside or outside of the organization being aware of it, and notified these parties as well as implementing additional security measures for critical national networks that might be impacted by these breaches.

At least three defense companies had technical data stolen from 2022 to 2023

In addition to the evidence gathered by the police, the attacks bear the hallmarks of North Korean hackers in terms of complexity in deploying persistent malware and covering their tracks to extend surreptitious access to the defense companies for as long as possible. Some arms industry experts have additionally noted that North Korean munitions are becoming more similar to those made by companies such as Korea Aerospace Industries and Hyundai Rotem as of late.

North Korean hackers have also struck the aerospace industry and defense companies before, with these APT groups suspected to be the culprits behind a 2023 attack on a South Korean shipbuilder that works on submarines and a contractor that works on the KF-21 supersonic fighter jet.

Lazarus is particularly brazen in its activities and readily identifiable by security researchers due to its heavy involvement in cryptocurrency theft, something that nation-state APT groups rarely do. The group has been around since at least 2009, rising from crude DDoS attacks against the US and South Korea to major capers such as the 2014 hack of Sony and the 2016 attacks on major Bangladesh banks. The group has always been highly active, advanced in its techniques, and devotes nearly as much time to stealing money as it does to espionage. Its major attacks on crypto platforms in recent years are essentially the main reason that overall cyber theft totals have spiked.

Andariel does not make the news as much, but is believed to have branched off from Lazarus and also has a long history of both attacks on defense companies and cyber heists aimed at financial institutions and crypto. Kimsuky has been active since at least 2012 and seems to have a special focus on South Korea, repeatedly attacking its government agencies and critical infrastructure.

North Korean hackers are hard to stop in part because the government puts so much effort into recruiting and developing them. Given its authoritarian structure, it has no trouble plucking particularly gifted students from the country’s school systems and sending them to Kim Chaek University of Technology, Kim Il-sung University and Moranbong University for special six-year vocational programs designed to make nation-state hackers out of them. Some security researchers also believe the country has a partnership in this area with China, sending these hacking students to a school in Shenyang for further training. The US Department of Justice has identified and indicted several members of these groups, but have thus far been limited to arresting several money mules that Lazarus employed.

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit, notes that North Korea represents a unique one-two punch of top-flight APT talent scouring for money to steal at targets that such groups would otherwise usually have no interest in: “Heavily armored and weaponized nation-state threats are difficult to stop compared to lesser threats of opportunistic eCrime or more immature threats. A strong cyber risk management program can proactively reduce risk to prevent incidents, and when incidents do occur, detecting them quickly with limited blast radius, taking into account lessons learned, continually hardening and maturing one’s defensive posture. Security must be a top priority to defend against a wealth of mature adversaries that we’re now seeing on a global scale with a variety of means and motives.”

“In order to best defend, organizations should use available known TTPs from MITRE and available intelligence to map out DPRK’s most common go-tos. Organizations can then work to counter these TTPs specific to each their assets, criticality, architecture, and other unique risks and considerations for that organization. e.g. contains dozens of TTPs that can be analyzed against defensive infrastructure maturity and assets of an organization to prioritize and harden against attack,” added Dunham

Ngoc Bui, Cybersecurity Expert at Menlo Security, mentions the importance of anticipating attack groups that are this advanced: “APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter. The effectiveness of the defense often depends on the persistence and resources of the attacker. Essentially, if an APT or actor is highly motivated, there are few barriers that can’t eventually be overcome. DPRK groups, such as Lazarus, frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures, and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor. The best strategy to counter DPRK’s cyber operations involves employing adept threat intelligence analysts who are capable of not just tracking but also anticipating and identifying DPRK’s cyberattacks as they happen. This proactive approach is crucial in defending against their often predictable but effective TTPs.”