Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The recent surge in attacks coincided with the launch of North Korea's industrial development program.
Cybercrime groups supported by the North Korean government, such as Kimsuky (APT43) and Andariel (APT45), have recently significantly increased cyber attacks on South Korea's construction and engineering sectors. This surge in attacks coincides with Kim Jong-un's "20x10 Local Industry Development" policy, which aims to modernize industrial facilities across North Korea.
South Korea's National Cyber Security Center (NCSC) and local intelligence agencies issued a joint warning warning that North Korean hackers are particularly active in exploiting VPN update vulnerabilities to break into targeted networks.
The warning also provides other important details aimed at helping organizations prevent and minimize potential damage, as stolen data can be used to develop North Korea's industrial and urban infrastructure.
So, in January 2024, the Kimsuky group conducted a sophisticated attack on the supply chain through the website of a South Korean construction company. Hackers broke into the security authentication software and hijacked the NX_PRNMAN system.
Malicious software called "TrollAgent", written in Go, infected the computers of government employees, employees of public institutions and construction professionals who used the compromised site for authentication. In addition, TrollAgent collected information about systems, took screenshots, and stole all sorts of sensitive data, including passwords from browser memory, GPKI certificates, SSH keys, and even FileZilla client data.
Going back to the last identified incident, in April 2024, the Andariel group conducted a sophisticated attack on South Korean construction and engineering companies, exploiting vulnerabilities in local VPNs and server security software. Attackers took advantage of holes in the client-server communication protocols focused on updates that were not sufficiently protected by authentication procedures.
The Andariel method involved sending requests disguised as HTTP packets to user PCs, bypassing the verification process performed by the VPN client. They redirected requests to a malicious C2 server, passing it off as a legitimate VPN server.
The spread of DoraRAT malware disguised as a software update allowed Andariel hackers to gain remote control over infected machines, indicating a change in North Korean cyberattack strategies and the need to strengthen South Korea's industrial infrastructure.
Such incidents highlight the complexity and detail of North Korean cyber operations against South Korea's infrastructure sectors. NCSC protection guidelines include:
The rise in cyberattacks by North Korea underscores the need to strengthen cybersecurity measures in South Korea. Protecting critical sectors requires not only technical readiness, but also continuous training and awareness of all employees.
Source
Cybercrime groups supported by the North Korean government, such as Kimsuky (APT43) and Andariel (APT45), have recently significantly increased cyber attacks on South Korea's construction and engineering sectors. This surge in attacks coincides with Kim Jong-un's "20x10 Local Industry Development" policy, which aims to modernize industrial facilities across North Korea.
South Korea's National Cyber Security Center (NCSC) and local intelligence agencies issued a joint warning warning that North Korean hackers are particularly active in exploiting VPN update vulnerabilities to break into targeted networks.
The warning also provides other important details aimed at helping organizations prevent and minimize potential damage, as stolen data can be used to develop North Korea's industrial and urban infrastructure.
So, in January 2024, the Kimsuky group conducted a sophisticated attack on the supply chain through the website of a South Korean construction company. Hackers broke into the security authentication software and hijacked the NX_PRNMAN system.
Malicious software called "TrollAgent", written in Go, infected the computers of government employees, employees of public institutions and construction professionals who used the compromised site for authentication. In addition, TrollAgent collected information about systems, took screenshots, and stole all sorts of sensitive data, including passwords from browser memory, GPKI certificates, SSH keys, and even FileZilla client data.
Going back to the last identified incident, in April 2024, the Andariel group conducted a sophisticated attack on South Korean construction and engineering companies, exploiting vulnerabilities in local VPNs and server security software. Attackers took advantage of holes in the client-server communication protocols focused on updates that were not sufficiently protected by authentication procedures.
The Andariel method involved sending requests disguised as HTTP packets to user PCs, bypassing the verification process performed by the VPN client. They redirected requests to a malicious C2 server, passing it off as a legitimate VPN server.
The spread of DoraRAT malware disguised as a software update allowed Andariel hackers to gain remote control over infected machines, indicating a change in North Korean cyberattack strategies and the need to strengthen South Korea's industrial infrastructure.
Such incidents highlight the complexity and detail of North Korean cyber operations against South Korea's infrastructure sectors. NCSC protection guidelines include:
- Continuous security training for all members of vulnerable companies.
- Special training for IT staff.
- Timely updates of your operating systems, applications, and antivirus software.
- Implement strict matching rules for software deployment.
- Requires administrator authentication at the final stage of deployment.
- Follow government recommendations on cybersecurity and directly contact manufacturers for urgent action.
- Use the KISA Supply Chain Security and Software development guidelines.
The rise in cyberattacks by North Korea underscores the need to strengthen cybersecurity measures in South Korea. Protecting critical sectors requires not only technical readiness, but also continuous training and awareness of all employees.
Source
