author photo
By Cam Sivesind
Thu | Apr 25, 2024 | 10:00 AM PDT

North Korea's prolific state-sponsored hacking units are once again setting their sights on South Korea's defense and arms manufacturing sector. According to cybersecurity analysts, the notorious Lazarus Group, as well as other crews like Kimsuky and Andariel, have launched multiple cyberattacks over the past year targeting South Korean companies involved in military and weapons technology development.

The apparent goal is to illegally obtain classified data, research, and intellectual property related to South Korea's most sensitive arms programs. Among them are specs on the next-generation KF-21 supersonic fighter jet being jointly developed with Indonesia, as well as cutting-edge submarine technology like that used in its latest Dosan Ahn Changho-class submarine.

Security researchers have evidence that Lazarus Group successfully breached at least two South Korean aerospace companies in 2023, making off with gigabytes of weapons systems data. The group employed sophisticated spear-phishing, watering hole attacks, and kernel-level malware to compromise the targets.

"Heavily armored and weaponized nation-state threats are difficult to stop compared to lesser threats of opportunistic eCrime or more immature threats," says Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit. "A strong cyber risk management program can proactively reduce risk to prevents incidents, and when incidents do occur, detecting them quickly with limited blast radius, taking into account lessons learned, continually hardening and maturing one's defensive posture."

"In order to best defend, organizations should use available known TTPs from MITRE and available intelligence to map out DPRK's most common go-tos," Dunham said. "Organizations can then work to counter these TTPs specific to each their assets, criticality, architecture, and other unique risks and considerations for that organization. Documentation on the Lazarus Group contains dozens of TTPs that can be analyzed against defensive infrastructure maturity and assets of an organization to prioritize and harden against attack."

South Korea is home to major defense manufacturers such as Korea Aerospace Industries Ltd. (KAI), Hanwha Aerospace Co.LIG Nex1 Co., and Hyundai Rotem Co.

This is not the first time North Korea (DPRK) has waged cyber espionage campaigns against the South's military-industrial base. In 2021, Andariel stole reams of data on the KF-21's wing and fuselage design, while Kimsuky infiltrated shipbuilders to pilfer submarine intelligence. North Korea is heavily sanctioned, so it likely views this stolen data as a way to accelerate its own arms development and achieve technical parity.

South Korea has accused its neighbor of being one of the world's most disruptive and capable cyber powers. The incidents underscore that despite international condemnation, North Korea's hacking units remain undeterred in their relentless cyber operations targeting South Korea, global banks, cryptocurrency firms and more to generate funds and data for the Kim regime's priorities.

[RELATED: Cyber Powers: Ranking the Top 30 Nations by Capabilities, Intent]

"Advanced Persistent Threats, particularly those driven by state-level actors, are notoriously difficult to fully deter. The effectiveness of the defense often depends on the persistence and resources of the attacker," said Ngoc Bui, Cybersecurity Expert at Menlo Security. "Essentially, if an APT or actor is highly motivated, there are few barriers that can't eventually be overcome. DPRK groups, such as Lazarus, frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures, and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor.

The best strategy to counter DPRK's cyber operations involves employing adept threat intelligence analysts who are capable of not just tracking but also anticipating and identifying DPRK's cyberattacks as they happen. This proactive approach is crucial in defending against their often predictable but effective TTPs."

South Korea's defense industry has experienced breaches previously due to security systems that lack integrity. The KF-21 technology was allegedly leaked to Indonesia, South Korea's partner for the jet's development, while Taiwan was suspected of taking the technology of a submarine developed by Daewoo Shipbuilding & Marine Engineering Co., currently Hanwha Ocean Co.

Comments