North Korean hackers breach South Korea's atomic research agency through VPN bug

South Korean officials said on Friday that hackers believed to be operating out of North Korea breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology.

In a press conference, a KAERI spokesperson said the intrusion took place last month on May 14, through a vulnerability in a virtual private network (VPN) server.

Thirteen different IPs were seen abusing the vulnerability and accessing the organization's internal network.

One of these IP addresses was linked to attack infrastructure used by Kimsuky, a North Korean cyber-espionage group.

The name of the VPN server vendor was redacted in documents presented to South Korean press today at a KAERI press conference.

KAERI held a press conference today after news of the hack leaked to reporters earlier this month, and the agency came under criticism for initially denying the intrusion.

In a press release posted on its website after the press conference, the agency apologized for its initial denial.

News of Kimsuky's KAERI hack comes after security firm Malwarebytes published a report at the start of the month exposing a Kimsuky spear-phishing campaign that targeted several South Korean government entities, but also the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.

All North Korean cyber-espionage groups, not just Kimsuky, have all been historically interested in nuclear energy and nuclear arms-related targets, primarily due to the country's controversial nuclear weapons program.

In September 2019, the US Treasury Department sanctioned three North Korean hacking groups (Lazarus, Andariel, Bluenoroff) for hacks aimed at stealing funds to funnel back into the country's nuclear weapons and missile programs.