South China Morning Post
Advertisement
Advertisement
North Korea
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
The stolen data amounted to 1.2TB of files – equivalent to around 230 high-definition films. Photo: Reuters
This Week in AsiaPolitics

‘Alarming’: North Korea’s hackers target South’s defence technology to fund weapons programme

  • A probe showed that a hacker group, known as Andariel, had stolen 1.2TB worth of technical data from dozens of South Korean entities
  • With North Korea expanding cyberattacks on defence contractors and pharmaceutical firms, analysts urge the South to enhance cybersecurity measures
North Korea
Park Chan-kyong
Park Chan-kyong
Why you can trust SCMP
In a concerning turn of events, North Korea appears to be expanding its cyberattacks from phishing heists and ransoms to pilfering defence technology to help fund its weapons programmes in the face of tough sanctions, experts warn.
The cyber warfare tactics employed by the North underscored the critical need for South Korea to enhance cybersecurity measures as cooperation with other countries including China to identify responsible parties was difficult to achieve, they said.

A joint investigation by South Korean police and the US FBI found that a hacker group from the North, known as Andariel, had stolen technical data from dozens of South Korean defence contractors, pharmaceutical companies, financial firms and technical institutes, as well as research centres and universities.

“We’ve found, through cooperation with the FBI, that the North Korean hacking organisation Andariel hacked many domestic companies,” the Seoul Metropolitan Police Agency’s Security Investigation Support Division said on Monday.

North Korea steps up ‘opportunistic’ cybercrime to fund nuclear ambitions

The stolen data amounted to 1.2 terabytes (TB) of files – equivalent to around 230 high-definition films. This includes technology on advanced laser anti-aircraft weapons and their development plans, police said.

“This means the North’s hacking attacks are evolving remarkably and becoming bolder” to target moneymaking technology and sensitive defence technology, former vice-defence minister Shin Beom-cheol said on SBS TV news talk show on Wednesday.

“This is something alarming for us,” he cautioned.

Lee Il-woo of the Korea Defence Network think tank said laser anti-aircraft weapons were being developed by the South’s military to cope with North Korean drones.
“The North has been persistent in attempting to hack into defence industries and I suspect there were many more incidents that went unnoticed or unreported,” he said.
North Korean leader Kim Jong-un gives field guidance at the Sci-Tech Complex in Pyongyang, in a photo released in October 2015. Photo: KNCA via Reuters

Andariel was said to have rented servers from domestic companies and used them as transit points to hack local tech, defence, pharmaceutical and financial companies. Many of the victims failed to notice the intrusions, while others chose not to report the damage to police over fears of losing credibility, according to the force.

The group also extorted 470 million won (US$356,000) worth of bitcoin from three South Korean firms in ransomware attacks.

A foreign woman was being investigated in connection with the ransomware attacks after some of the bitcoin worth 630,000 yuan (US$88,600) were transferred through her account and withdrawn from a bank in China, police said. She has denied the money-laundering charge.

North Koreans use fake names, scripts to land remote IT work for cash

“What has drawn my attention most in this police announcement is that North Korea appears to be expanding cyberattacks on defence contractors and pharmaceutical companies,” Kim Seung-joo, a cybersecurity professor at Korea University, told This Week in Asia.

Biotechnology has emerged as one of the most valuable sectors following the Covid-19 pandemic, with defence technology valued more than ever amid ongoing wars in the Middle East and Ukraine, prompting hackers worldwide to target such industries, Kim said.

“This incident highlights the need for local defence companies to further bolster their IT security,” he warned.

A photo released on November 15 shows the first ground combustion test of a high-power solid fuel engine for a new intermediate-range ballistic missile, at an undisclosed location in North Korea. Photo: KCNA via KNS/AFP

Lee of the Korea Defence Network said researchers at various institutes and companies, including himself, endlessly received phishing emails carrying spyware that lured them into joining key seminars.

When the North paraded weapons for its “Victory Day” in July, Lee, a missile expert, said he was surprised to find striking similarities between the North’s new “Spike” missile used to strike ships or coastline batteries and the South’s tactical surface-to-surface missile.

“I suspect this missile technology might have been stolen from the South,” he said.

Entities from the North are believed to have stolen US$3 billion worth of cryptocurrency assets over the past six years, with about US$1.7 billion plundered last year alone.

As Kim prepares for ‘actual war’, North’s hackers target US-South Korea drills

In a report published last month, titled “Evolving North Korean Cyberattacks and Responses”, Kim Bo-mi at the Korea Institute for National Security Strategy said North Korea had stolen around US$340 million in cryptocurrency over the first three-quarters of the year, accounting for some 30 per cent of global cryptocurrency losses.

“North Korea seems to have found a breakthrough in the problem of cashing out cryptocurrencies by using Russian currency exchange services,” she said.

Most of the stolen assets are used to directly fund the hermit kingdom’s weapons of mass destruction and ballistic missile programmes, according to the Hacker News.

“[In the absence of] stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry due to its past success in mining it as a source of additional revenue to support the regime,” said Massachusetts cybersecurity company Recorded Future last month.

A man walks past a television showing a news broadcast with file footage of a North Korean missile test, at a railway station in Seoul on March 27, 2023. Photo: TNS

The United States government has reportedly sanctioned three mixers – Blender, Tornado, and Sinbad – and tens of individuals for laundering billions in assets for the North Korean regime.

About half of the laundered money is believed to have been used to bankroll the state’s ballistic missiles programme.

“North Korean threat actors also use the accounts and personal information of phishing victims to register verified accounts at trusted cryptocurrency exchanges where they can send the stolen cryptocurrency and cash out,” Recorded Future added.

Pyongyang has denied being involved in cybercrimes.

Post