South Korea’s ‘Korea Atomic Energy Research Institute (KEPI) said that their networks were attacked by North Korean hackers using a VPN vulnerability.
KAERI is a government-affiliated institute that carries out research related to nuclear energy in South Korea.
The attack was first reported by South Korea’s Sisa Journal media outlet.
After initially confirming the attack, KAERI then denied that the attack ever took place. In the statement issued yesterday, the institute apologized for trying to conceal the incident.
According to the company, the attack took place on June 14, 2018, after North Korean threat actors exploited a VPN vulnerability in their network. They have fixed the issue and updated the device to prevent unauthorized access. The issue allowed 13 different IP addresses to gain unauthorized access to the network.
One of the IP addresses is linked to a North Korean group known as Kimsuky that works for a North Korean intelligence agency.
In October 2020, the CISA stated that the Kimsuky group (aka Thallium, Black Banshee, and Velvet Chollima) is most likely tasked with gathering intel for the North Korean regime. According to Malwarebytes, Kimsuky and other groups associated with the Korean Resistance have been targeting the South Korean Government using the AppleSeed backdoor.
“One of the lures used by Kimsuky named “외교부 가판 2021-05-07” in Korean language translates to “Ministry of Foreign Affairs Edition 2021-05-07” which indicates that it has been designed to target the Ministry of Foreign Affairs of South Korea,” explains Malwarebytes’ report. “According to our collected data, we have identified that it is one entity of high interest for Kimsuky.”
Malwarebytes states that Kimsuky has targeted other South Korean government agencies in recent phishing attacks, including:
Ministry of Foreign Affairs, Republic of Korea 1st Secretary
Ministry of Foreign Affairs, Republic of Korea 2nd Secretary
Trade Minister
Deputy Consul General at Korean Consulate General in Hong Kong
International Atomic Energy Agency (IAEA) Nuclear Security Officer
Ambassador of the Embassy of Sri Lanka to the State
Ministry of Foreign Affairs and Trade counselor
According to KAERI, they are still investigating the incident to confirm what information was accessed.