South Korean officials have admitted that government nuclear think tank Korea Atomic Energy Research Institute (KAERI) was hacked in May 2021 by North Korea’s Kimsuky group. The Korean news outlet that broke the story has accused KAERI of a cover-up.
Malware analyst group IssueMakersLab said in a report that it detected an attack on KAERI on May 14th. The attack saw incoming heat from 13 internet addresses, of which one was traceable to Kimsuky.
The Kimsuky group is not new. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the group is believed to be a North Korean global intelligence gathering mission, operating since 2012. The group — which also goes by Velvet Chollima, Black Banshee, and Thallium — is believed responsible for numerous malware attacks, and in the past has targeted South Korean COVID-19 vaccine researchers and nuclear reactors.
The group often uses phishing to mimic websites like GMail, Outlook, Telegram and more. The group then installs Android and Windows backdoor “AppleSeed” to collect information.
Korea’s Ministry of Science and ICT (MSIT) said a vulnerability in a VPN used by KAERI allowed access to one of the agency’s servers. KAERI said it discovered the attack on May 31st and then took steps to block the IP addresses and install security patches.
South Korean news agency Yonhap has reported that the KAERI network was breached using an email address from President Moon Jae-in’s former advisor, Moon Chung-in, that was acquired during a 2018 Kimsuky-attributed cyberattack.
The extent of damage has not been confirmed, said MSIT on Friday. Officials fear that the leaking of information pertaining to nuclear technology, like reactors and fuel rods, could pose security risks.
The attack was first reported by Korean news outlet, SISA Journal, which accused KAERI of concealing the breach. The journal cited a researcher who changed his position on the…