North Korean hacking group allegedly behind breach of South Korean nuclear institute

A high-profile North Korean hacking group has allegedly struck again in South Korea, this time breaching the security of its nuclear research institute.
Written by Cho Mu-Hyun, Contributing Writer
Recorded Future

A North Korean hacking group with a history of high-profile attacks against South Korea allegedly breached the network of South Korea's state-run nuclear research institute last month.

Representative Ha Tae-keung of the People Power Party, South Korea's main opposition party, claimed 13 unauthorised IP addresses accessed the internal network of Korea Atomic Energy Research Institute (KAERI) on May 14.

Some of the addresses could be traced back to Kimsuky, a North Korean cyber espionage group, Ha claimed.

"If the state's key technologies on nuclear energy have been leaked to North Korea, it could be the country's biggest security breach, almost the same level as a hacking attack by the North into the defense ministry in 2016," the lawmaker said.

According to the US Cybersecurity and Infrastructure Security Agency, Kimsuky is an advanced persistent threat group likely tasked by the North Korean regime with a global intelligence-gathering mission, with a focus on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.

Prior to its alleged attack against KAERI, the group was thought to have been installing malware inside documents detailing South Korea's response to the COVID-19 pandemic in 2020.

The group is also thought to be behind a series of phishing attacks in 2019 against the South Korean police and Ministry of Unification. Kimsuky's most notorious cyber attack was made in 2014 against Korea Hydro & Nuclear Power, South Korea's nuclear and hydroelectric utility.

In response to Ha's claims, KAERI issued a statement, saying an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). The institute then blocked its IP and updated the security of its network, it said. It has since been working with authorities to investigate the scope of the damage and who was behind the attack, KAERI added. 

KAERI officials were unavailable for further comment.

On Sunday, local media reports claimed that Daewoo Shipbuilding & Marine Engineering, a supplier of ships and submarines to the South Korean military, has been suffering cyber attacks since last year from groups thought to be run by North Korea. The Defense Acquisition Program Administration, a subagency of the Ministry of National Defense responsible for procuring weapons, confirmed there were attempted hacking attacks against Daewoo last year but denied they were connected with North Korea.

Related Coverage

Editorial standards