Attackers Exploited VPN Flaw at Nuclear Agency
The Korea Atomic Energy Research Institute, a South Korean organization, confirms it was recently hacked, apparently by a North Korean group that exploited a VPN vulnerability.
On May 14, 13 unauthorized external IP addresses accessed its servers, the Daejeon-based institute says.
The unauthorized VPN access was immediately stopped, and the attackers’ IP was blocked, the Ministry of Science and ICT says. The institute says it has made a VPN system security update.
The institute also says it’s working with other related organizations to investigate the attack and determine the extent of the impact.
Although the hacking code has not yet been fully analyzed, the attack is suspected to have originated in North Korea, an unidentified cybersecurity expert told local news outlet Sisa Journal, which first reported the incident.
The expert, who said he examined the attack codes, said the code was similar to that previously used by the North Korean attack group known as Kimsuky, Sisa reports.
Kimsuky, also called Thallium, Black Banshee and Velvet Chollima, primarily targets businesses, including financial firms, and government institutions in South Korea, the U.S. Cybersecurity and Infrastructure Security Agency reports. Kimsuky, active since 2012, has also conducted espionage campaigns against targets in the U.S. and Japan.
Earlier this month, Kimsuky updated its tactics, techniques and procedures and began to use an AppleSeed backdoor as it continued to launch espionage attacks, according to the security firm Malwarebytes (see: APT Group Kimsuky Has New Attack Technique, Researchers Say).
The Malwarebytes threat intelligence team, which has been monitoring Kimsuky activities, says it spotted phishing websites, malicious documents and scripts the group used to target high-profile individuals within the government of South Korea.
The Kimsuky group sets up phishing infrastructure to effectively mimic well-known websites and trick victims into entering their credentials, Malwarebytes researchers say.
In one of its attacks against the South Korean government, Kimsuky reused the infrastructure that had been used to host its phishing websites for AppleSeed backdoor command-and-control communications, Malwarebytes says.
For the initial infection, the threat actor distributed its dropper, embedded in an archive file attachment, through a spear-phishing email. It had collected target email addresses through previous phishing campaigns, Malwarebytes reports. Once the payload was installed, AppleSeed collected, compressed and encrypted data to send it to the command-and-control server using HTTP POST requests in a separate thread.