North Korean hackers attack South Korea’s construction, machinery sectors


North Korea has unleashed its army of hackers to steal South Korean commercial secrets that could be used to develop its own heavy industry.

Two state-sponsored North Korean hacker groups, Kimsuky and Andariel, were identified as the main culprits behind the cyberattacks in a joint cybersecurity advisory released by South Korea’s Cybersecurity Intelligence Community (KCIC).

Both hacker groups are linked to the Reconnaissance General Bureau (RGB), a North Korean intelligence agency founded in 2009 to carry out clandestine operations against South Korea, Japan, and the United States.

ADVERTISEMENT

“It is rare for two hacking organizations under the RGB to simultaneously focus on attacking a specific sector to achieve the same policy objectives, indicating the need for thorough preparedness,” the advisory read.

The hacker groups are targeting South Korea’s construction, machinery, and urban development sectors as part of North Korea’s renewed development push that includes plans to build 20 modern industrial plants across the country.

The KCIC said it recorded a “significant increase” in hacking attacks targeting these particular sectors, as well as government officials.

“The North Korean party, military, and government are dedicated to implementing this policy, and their hacking organizations are equally engaged,” the KCIC said.

“It is suspected that North Korea intends to use the stolen data related to our country's construction, machinery, and urban development sectors in its industrial plant construction and local development plans,” it said.

“Meticulously” planned operations

In one cyberattack carried out in January and described by South Korean intelligence, the Kimsuky hacker group distributed malware through the website of a professional association in the construction sector.

The malware was hidden in the security authentication software used to log into the website. As a result, the personal computers of local government, public institutions, and construction company staff who accessed the website were infected.

ADVERTISEMENT

It is believed that the attackers exploited a file upload vulnerability on the professional association's website to alter the security authentication software in a “meticulously” planned operation.

“It is presumed that the hackers aimed to use the compromised credentials of officials in the construction sector as a foothold to steal critical information about major construction projects and technical data from companies involved,” the KCIC said.

In another case, recorded in April, the North Korean hacking organization Andariel exploited vulnerabilities of the VPN information security software used by targeted construction and machinery companies to replace update files in their systems with malware.

In addition to the VPN products, Andariel also exploited vulnerabilities in server security products.

The threat actors were able to distribute remote control malware DoraRAT with the aim of using it to transfer large machine and equipment-related design files to the C2 server, according to South Korean intelligence.

Kimsuky and Andariel are some of the North Korean hacker groups working to fill the regime's coffers and further its geopolitical goals through malicious online activity, including espionage and attacks on the cryptocurrency industry.