North Korea-linked APT group Kimsuky breached KAERI
South Korea’s ‘Korea Atomic Energy Research Institute’ revealed that their internal networks were hacked by North Korean threat actors last month by exploiting a VPN vulnerability.
The Korea Atomic Energy Research Institute, or KAERI, is a government-sponsored institute for the research and application of nuclear power in South Korea.
The news about the breach came earlier this month when South Korean media Sisa Journal began covering the attack. At the time, KAERI initially confirmed and then denied that the attack occurred.
Now, KAERI disclosed that the institute has officially confirmed the attack and apologized for attempting to cover up the incident.
KAERI states the attack occurred on May 14th after North Korean threat actors breached their internal network using a VPN vulnerability.
KAERI has updated the undisclosed VPN device to fix the vulnerability. But as per access logs, thirteen different unauthorized IP addresses gained access to the internal network through the VPN.
One of these IP addresses is linked to a North Korean state-sponsored hacking group called ‘Kimsuky’ which works under the North Korean Reconnaissance General Bureau intelligence agency.
The incident could pose serious security risks if any core information was leaked to North Korea, as KAERI is the country’s largest think tank studying nuclear technology including reactors and fuel rods.
According to a KAERI spokesperson, the threat actors exploited a vulnerability in a virtual private network server to gain access to the network of the institute.
They have checked the history of access to some systems by unknown outsiders through the VPN system vulnerability. In accordance with this, the attacker IP is blocked and the VPN system security update is applied.
Currently, the Atomic Energy Research Institute is investigating the breach and the amount of damage. However, the South Korean authorities did not reveal which VPN vendor was targeted by the threat actors.
North Korea-linked hacking group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was first spotted by Kaspersky researchers in 2013.
Recently, Malwarebytes has issued a report on how Kimsuky was actively targeting the South Korean government using the ‘AppleSeed’ backdoor in phishing attacks.