N.Korean hackers attack South’s arms makers for tech data

North Korean hackers allegedly attacked South Korean arms manufacturers and stole technical data from them over more than a year Seoul’s police said on Tuesday, raising the alarm for the South’s national security.

North Korea’s three largest hacking groups – Lazarus, Kimsuky and Andariel – carried out cyberattacks on 83 defense contractors in the South and took confidential information from about 10 of them from October 2022 to July 2023, according to the National Office of Investigation under the police agency.

None of the defense companies were aware of the attacks before the police launched the investigation, boosting concerns over industry-wide security systems.

North Korean leader Kim Jong Un may have been behind the infiltration as it was the first time for the three hacking teams linked to Pyeongyang's intelligence apparatus to mount “all-out” cyber heists, although an individual group had attempted to steal certain technology, the police said.

“North Korea is expected to continue cyberattacks to steal defense technology,” said an official at the South Korean investigation office. “We will make efforts to strengthen the security of the defense industry with the DAPA,” the official added, referring to Seoul’s arms procurement agency the Defense Acquisition Program Administration.

INCREASINGLY SIMILAR

The police investigated South Korean defense contractors with the DAPA and the National Intelligence Service (NIS) for a month from Jan. 15 while taking measures such as blocking overseas Internet Protocol (IP) addresses and separating internal and external networks to prevent further security damage.

The authorities have not disclosed details such as the names of companies hit by the cyberattacks and the information leaked on specific weapon systems, considering the impact of such information on national security and the local defense industry.

South Korea is home to major defense makers such as Korea Aerospace Industries Ltd. (KAI), Hanwha Aerospace Co., LIG Nex1 Co. and Hyundai Rotem Co.

National security is likely to be at risk if core weapon designs developed and produced in the country have been leaked, industry sources said.

“North Korean arms are getting increasingly similar to those of the South. The shape of the KN-23, the North’s surface-to-surface missile recently identified is similar to the Hyunmoo-4, our ballistic missile,” said one of the sources in Seoul.

“It will be a huge hit if data on missiles and unmanned aerial vehicles were leaked.”

TOP THREE HACKING GROUPS

The South Korean police said the hackers’ methods were consistent with those of the North Korean groups such as Lazarus, Kimsuky and Andariel, considering the IP addresses of the locations of the cyberattacks, malicious codes and the server establishments.

National security authorities in Seoul assess North Korea’s cyberattack capabilities are among the world’s top 10 in general and the best in the financial and cryptocurrency sectors.

“North Korea is trying to seek anything necessary through cyberattacks with even attempting to hack Russian companies,” said an NIS official.

The Lazarus Group under a North Korean intelligence agency stole $81 million from Bangladesh’s central bank in 2016. The Andariel disrupted computer networks across South Korea in 2013, while Kimsuky reportedly made several attempts to attack the KAI and the Korea Atomic Energy Research Institute.

Those hacking groups hacked a South Korean shipbuilder for drawings and design data last August and September. They were also known to have seized some information on the latest 3,000-ton submarine and the KF-21, the country’s first homegrown supersonic jet fighter.

POOR SECURITY SYSTEMS

The hackers targeted the vulnerable security systems of South Korean defense makers.

The cyber attackers seized the internal networks of those companies, which were opened for tests, to transfer important information to overseas cloud servers. They also stole technology data by taking advantage of certain loopholes, such as some defense contractors’ employees using the same ID and password for portal sites as those for their corporate access accounts.

South Korean defense makers have already been in trouble due to poor security systems. The KF-21’s technology was allegedly leaked to Indonesia, South Korea’s partner for the jet’s development, while Taiwan was suspected of taking the technology of a submarine developed by Daewoo Shipbuilding & Marine Engineering Co., currently Hanwha Ocean Co.

An employee of a South Korean defense company lost his laptop about five years ago when he went abroad for a business trip, industry sources said. Separately, engineers of a major arms manufacturer were found to have saved data on their personal email accounts for convenience after the company separated its internal and external networks, according to the sources.

“If members of defense and related companies do not comply with security rules just because they are inconvenient, that will pose a huge threat to national security,” said Shin Jong-woo, secretary general of the Korea Defence and Security Forum (KODEF).

Write to Cheol-Oh Cho and Dong-Hyun Kim at cheol@hankyung.com
 

Jongwoo Cheon edited this article.