14 DAY TRIAL // South Korean authorities revealed that Kimsuky managed to hack the state nuclear think tank Korea Atomic Energy Research Institute (KAERI) in May 2021. KAERI was accused of a cover-up by the Korean news organization that uncovered the story, according to The Register.
IssueMakersLab, a malware analysis firm, discovered an attack on KAERI on May 14. There were 13 different Internet addresses involved in the cyberattack, one of which was related to Kimsuky. The latter is said to be a North Korean global intelligence-gathering operation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The organization, also known as Thallium, Black Banshee, and Velvet Chollima, is suspected of conducting multiple malware attacks. In fact, it has allegedly attacked South Korean COVID-19 vaccine researchers and nuclear reactors in the past. To gain access to their victims' systems, the gang frequently employed phishing techniques to impersonate websites such as Telegram, Gmail, Outlook, and other popular brand websites.
North Korean cybercriminals managed to hack into KAERI networks exploiting a VPN vulnerability
This is not the first attack of the agency. Yonhap news agency reported KAERI was hacked back in 2018 through an email account obtained by the adviser of President Moon Jae-former advisor, Moon Chung-in, during a cyberattack attributed to Kimsuky.
According to the Korean Ministry of Science and ICT (MSIT), the network was breached due to a server VPN vulnerability. The attack was discovered on May 31 and urgent efforts were taken to ban the IP addresses and apply security fixes.
While the extent of the damage is not yet known, there are concerns that the leak of information about nuclear technologies could compromise national security. SISA Journal was the first to report the attack, accusing KAERI of downplaying the breach after it identified one researcher who made three different statements about the topic.
KAERI issued the following statement (translated) in response to the cover-up accusations:
"The statement that ‘there was no hacking incident’ was a mistake in the response of the working-level staff, which occurred in a situation where damage was not confirmed during investigation due to suspected infringement”.