Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Kimsuky and Andariel Target Seoul's Construction Industry
Espionage Groups Exploited Software Supply Chain Vulnerabilities to Widen ReachTwo prominent North Korean hacker groups Kimsuky and Andariel have been targeting South Korea's construction and machinery sectors since January to steal classified information to help the country modernize its cities and factories, South Korean government agencies warned on Monday.
See Also: 2024 Fraud Insights Report
Several South Korean agencies, including the National Police Agency, the National Intelligence Service and the Cyber Operations Command, said in a joint cybersecurity advisory that the two North Korean cyberespionage groups - Kimsuky and Andariel - exploited website and software supply chain vulnerabilities to infect the systems of construction and machinery organizations.
The attacks followed a resolution by the Supreme People's Assembly in January to build modern industrial factories in 20 cities and counties every year. "North Korea's political party, military and government are working hard to implement policies, and North Korean hacking organizations are no different," the agency said.
One of these attacks involving the Kimsuky group, also tracked as Black Banshee, APT43 and Ruby Sleet, hackers exploited a file upload vulnerability in January to compromise a prominent construction industry website frequently visited by building and design experts.
The agencies said the group planted malicious code in a security authentication system that visitors use to log in to the website, and used the compromised website as a "watering hole" to infect the PCs of local governments, public institutions and construction companies that accessed the website.
The hackers signed the altered authentication software with a legitimate certificate issued by D2Innovation to bypass detection by antivirus software and browsers. When a user installed the malicious software, it executed malicious code in the %APPDATA% path and installed malware that collected credentials, cookies, bookmarks, history, GPKI certificates, SSH authentication keys and Sticky Notes from popular browsers including Google Chrome and Microsoft Edge.
"Considering that the high-ranking website was used as a distribution channel and the information-stealing malware included a GPKI certificate theft function, it is presumed that the hacking of public officials in the construction field was used as a bridgehead to attempt to steal information on major construction projects and technical data of construction companies participating in the project," the agencies said.
Authorities also observed cyberespionage group Andariel, which is known to weaponize vulnerabilities in enterprise software and web servers to infiltrate corporate networks and steal information, exploit an insufficient authentication vulnerability in a domestic security software program to infect organizations that used the application to secure their systems and networks.
Andariel, also tracked as Onyx Sleet and Dark Seoul, used a command-and-control server to send a malicious update of the security software to the VPN client in victims' devices and ultimately used the update process to inject the Dora remote access Trojan in infected systems. The remote access Trojan can upload and download files to the infected system and execute malicious code whenever instructed by the hacker-controlled C2 server.
The espionage group also injected specific file-stealing malware capable of stealing large files, particularly detailed design codes and drawings related to machinery and construction equipment.
The latest cybersecurity advisory follows a similar one earlier in July in which U.S., British and South Korean government agencies blamed Andariel for targeting their defense, aerospace and energy sectors to steal Western nuclear and military technologies to advance Kim Jong Un regime's military and nuclear ambitions (see: Agencies Warn of North Korean Hacks on Nuclear Installations).
Government officials said the group in recent years actively pursued classified technical information related to military systems such as battle tanks, artillery guns, small combat ships, submarines and underwater vehicles, fighter aircraft, and satellites to help shore up North Korea's weapons development capabilities.
Cybersecurity company Zscaler also blamed Kimsuky for using a malicious Google Chrome extension since March to exfiltrate sensitive information from South Korean academic institutions conducting research on North Korean affairs (see: Kimsuky Group Using Chrome Extensions to Steal Victim Data).