North Korean state-sponsored hacking groups, specifically Kimsuky (APT43) and Andariel (APT45), have intensified their cyberattacks on South Korean construction and machinery sectors. This spike in attacks appears to be in line with Kim Jong-un’s ambitious “Local Development 20×10 Policy,” which aims to modernize industrial facilities in North Korea.
In response to these growing threats, South Korea’s National Cyber Security Center (NCSC) and intelligence agencies have collaborated to issue a detailed joint cybersecurity advisory. This advisory warns organizations that North Korean hackers have been exploiting vulnerabilities in VPN updates to infiltrate networks. The goal of this advisory is to help organizations prevent and minimize potential damage from cyberattacks, as stolen data could be used to further North Korea’s industrial and urban development plans.
The advisory highlighted two specific cases of cyberattacks on South Korean industries. In one instance, the Kimsuky group executed a sophisticated supply chain attack on a South Korean construction industry website in January 2024. The attackers targeted the security authentication software, compromising the NX_PRNMAN system. The malware, named “TrollAgent” and written in Go, infected the computers of government employees, public institutions, and construction professionals who accessed the compromised site. The attackers collected sensitive information, including passwords, GPKI certificates, SSH keys, and more, by evading security measures using a legitimate digital certificate.
Similarly, in April 2024, Andariel carried out an intricate attack on South Korean construction and machinery firms by exploiting vulnerabilities in local VPNs and server security software. By exploiting weaknesses in client-server communication protocols, Andariel managed to gain remote control over infected machines. The attackers utilized disguised HTTP packets to bypass verification processes and distributed malware posing as software upgrades. These attacks demonstrated the evolving strategies behind North Korea’s cyber campaigns and emphasized the need for enhanced cybersecurity measures in South Korea’s industrial infrastructure.
To address these escalating cyber threats, the advisory provided a list of mitigations for organizations to implement. These measures include continuous security education for all members, customized training for both general staff and IT professionals, regular updates of operating systems and software, strict software deployment policies, adherence to government cybersecurity recommendations, and consultation with manufacturers for urgent actions. Additionally, organizations were advised to refer to specific security guidelines for supply chain security and software development to bolster their cybersecurity defenses.
Overall, the joint cybersecurity advisory issued by South Korea’s NCSC and intelligence agencies underscores the importance of proactive measures to combat the increasing cyber threats posed by North Korean state-sponsored hacking groups. By implementing the recommended mitigations and enhancing cybersecurity practices, organizations can strengthen their defenses against sophisticated cyberattacks and safeguard their critical infrastructure from malicious actors.