Korea Atomic Energy Research Institute (KAERI), which is a government-owned organization in South Korea, has disclosed that its internal network was targeted by cybercriminals possibly operating from North Korea.
The KAERI is a Seoul-funded research institute established in 1959. It is located in Daejeon and is responsible for designing and developing nuclear technologies for fuel rods, reactors, radiation fusion, and nuclear safety.
It is reported that the organization was targeted by hackers in May, due to which Pyongyang might have acquired valuable technologies.
Attack Detected in Mid-May
For your information, Kimsuky is also known as Black Banshee, Velvet Chollima, and Thallium. It is a North Korean threat group known for cyberespionage campaigns against South Korean think tanks and nuclear power operators. In March 2015, Kimsuky operators were also blamed for hacking South Korean nuclear plants and sensitive data leaks.
About the Attack
Reportedly, the attackers exploited a vulnerability present in an unidentified VPN (virtual private network) vendor. As many as 13 IP addresses linked to the attackers were identified, including 27.102.11489, which was previously linked to Kimsuky state-sponsored hacking group.
After detecting the intrusion, the institute blocked all the identified IP addresses and implemented necessary security patches to the vulnerable VPN. It isn’t clear which VPN vulnerability was exploited to target the organization, but in the recent past, unpatched VPN systems from SonicWall, Pulse Secure, Citrix, and Fortinet FortiOS have become the targets of threat actors.
KAERI noted that government agencies had been notified about the hack attack, and investigators are currently evaluating the extent of the damage.
“Currently, the Atomic Energy Research Institute is investigating the subject of the hacking and the amount of damage,” the organization’s spokesperson said.
A member of the South Korean National Assembly’s Intelligence Committee from the People Power Party, which is in the opposition, reported this incident and claimed that the hackers might have gotten hold of their nuclear power technology, adding that if this is the case, the damage could be far greater than the 2016 attack on the South Korean Defense Ministry servers. At the time, the North Korean government was blamed for the attack, but it denied any involvement.