North Korean hackers have ramped up their cyber espionage efforts, targeting South Korea’s construction and machinery sectors with sophisticated attacks. According to a joint advisory from South Korea’s National Cyber Security Center (NCSC) and other national security agencies, these hackers have exploited VPN software updates to infiltrate corporate networks and deploy malicious malware. This targeted campaign aims to steal valuable intellectual property and trade secrets, potentially aiding North Korea’s ambitious construction goals outlined in its recent development policies.
The advisory details two main hacking groups involved: Kimsuky and Andariel, both connected to North Korea’s Reconnaissance General Bureau. These groups have used advanced tactics, including supply chain and watering hole attacks, to achieve their objectives. In one notable instance, Kimsuky distributed malware through a compromised construction industry association website in January 2024. The malware, hidden within security authentication software, was designed to infect PCs used by personnel from local governments and construction firms, allowing the hackers to covertly steal sensitive information.
In April 2024, the Andariel group carried out another attack by exploiting vulnerabilities in VPN and server security software. By tampering with VPN client-server communication, the attackers were able to distribute remote control malware known as DoraRAT. This malware, although relatively simple, allowed the hackers to execute commands, upload and download files, and exfiltrate large volumes of data related to machinery and equipment design. The attack was particularly notable for its use of a watering hole technique, which increased the malware’s exposure by targeting websites frequently visited by construction and design professionals.
South Korean authorities have issued a comprehensive cybersecurity advisory to alert organizations to these threats and provide guidance on how to protect against them. The advisory includes detailed information on the tactics, techniques, and procedures employed by the attackers, as well as indicators of compromise. Organizations are urged to enhance their security measures, including regular updates to software and thorough network monitoring, to defend against these increasingly sophisticated cyber threats from North Korea.
Reference:
