A suspected North Korean hacking group broke into the computer systems of South Korea’s atomic research agency, prompting fears that nuclear technology was compromised.
The threat actor breached the state-run Korea Atomic Energy Research Institute (KAERI) network via a “VPN system vulnerability” on 14 May, officials confirmed.
On 31 May the agency, which conducts research into nuclear power, reported the attack to the government and said 13 IP addresses were involved.
One of these addresses was traced back to North Korean hacking group Kimsuky by Seoul-based cybersecurity company IssueMakersLab.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), Kimsuky is an advanced persistent threat group that carries out hacks to “gain intelligence on various topics of interest to the North Korean government”. This is known to include foreign policy, nuclear policy and national security issues in the Korean peninsula.
Kimsuky, also known as Black Banshee, Velvet Chollima and Thallium, often uses spearphishing and social engineering methods to gain initial access to its targets before installing backdoor access to harvest information. In 2014 it conducted a cyberattack against Korea Hydro & Nuclear Power, South Korea’s nuclear and hydroelectric utility.
KAERI said it has blocked the attackers’ IP address and updated its VPN security. The nuclear agency is still investigating the extent of the damage, South Korea’s Ministry of Science and ICT said in a statement.
“The incident could pose serious security risks if any core information was leaked to North Korea, as KAERI is the country’s largest research agency studying nuclear technology including reactors and fuel rods,” said Ha Tae-keung, a member of the parliamentary intelligence committee, in a statement.
North Korea has long been developing nuclear weapons and in January this year displayed a new submarine-launched ballistic missile that Pyongyang claimed to be the “world’s most powerful weapon”.
KAERI said it “apologises for causing concern to the public due to this hacking accident”.
Korean news outlet SISA Journal first reported the cyberattack. Its initial reporting suggested KAERI had attempted to cover up the incident after it released a statement that there “was no hacking incident”.
KAERI has now clarified that this initial statement was a “mistake in the response of the working-level staff” (machine translated).
Jake Moore, cybersecurity specialist at internet security firm ESET, said: “Nation-state actors are different to cybercriminal gangs or individual attacks as they are often more difficult to prevent, largely due to their determination and persistence.
“Although high profile cyberattacks use impressively sophisticated techniques to gain entry or cause disruption, they often still begin with phishing attacks targeted at individuals – which tend not to stop until access is gained. Segregation is key to protect intellectual property and restricting access to sensitive information – but awareness is also imperative for all staff.”
North Korea is known to conduct cyberattacks against its neighbour. In November 2020 the notorious Lazurus group deployed malware using legitimate South Korean security software and digital certificates in a supply chain attack.