South Korean officials have admitted that government nuclear think tank Korea Atomic Energy Research Institute (KAERI) was hacked in May 2021 by North Korea’s Kimsuky group. The Korean news outlet that broke the story has accused KAERI of a cover-up.
Malware analyst group IssueMakersLab said in a report that it detected an attack on KAERI on May 14th. The attack saw incoming heat from 13 internet addresses, of which one was traceable to Kimsuky.
The Kimsuky group is not new. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the group is believed to be a North Korean global intelligence gathering mission, operating since 2012. The group — which also goes by Velvet Chollima, Black Banshee, and Thallium — is believed responsible for numerous malware attacks, and in the past has targeted South Korean COVID-19 vaccine researchers and nuclear reactors.
The group often uses phishing to mimic websites like GMail, Outlook, Telegram and more. The group then installs Android and Windows backdoor “AppleSeed” to collect information.
Korea’s Ministry of Science and ICT (MSIT) said a vulnerability in a VPN used by KAERI allowed access to one of the agency’s servers. KAERI said it discovered the attack on May 31st and then took steps to block the IP addresses and install security patches.
South Korean news agency Yonhap has reported that the KAERI network was breached using an email address from President Moon Jae-in’s former advisor, Moon Chung-in, that was acquired during a 2018 Kimsuky-attributed cyberattack.
- South Korea has a huge problem with digital sex crimes against women says Human Rights Watch
- North Korean attacks on crypto exchanges reportedly netted $316m in two years
- Biden administration labels China top tech threat, promises proportionate responses to cyberattacks
- South Korea bans 1700 tech products for using forged test reports
The extent of damage has not been confirmed, said MSIT on Friday. Officials fear that the leaking of information pertaining to nuclear technology, like reactors and fuel rods, could pose security risks.
The attack was first reported by Korean news outlet, SISA Journal, which accused KAERI of concealing the breach. The journal cited a researcher who changed his position on the breach and related damage three times.
In response to the cover-up accusations, KAERI issued a statement describing (after machine translation) the researcher’s inconsistencies as follows:
The statement that “there was no hacking incident” was a mistake in the response of the working-level staff, which occurred in a situation where damage was not confirmed during investigation due to suspected infringement.
The attack on KAERI may be part of a larger ongoing campaign. Earlier this month, Malwarebytes reported a number of attacks on South Korean universities, government officials, and companies in South Korea, and attributed them to Kimsuky. ®