Seoul, South Korea
Seoul, South Korea. Image: Yohan Cho via Unsplash

Familiar North Korean groups cited in cyberattacks against South Korean defense firms

Major North Korean hacker groups tried to breach dozens of South Korean defense companies for more than a year and stole technical data from some of them, authorities said on Tuesday.

South Korean security services identified three Pyongyang-backed groups responsible for these attacks — operations known to global law enforcement and cybersecurity researchers as Lazarus, Kimsuky and Andariel.

They purportedly infiltrated the networks of 83 South Korean defense companies or their contractors and stole confidential information from about 10 of them from October 2022 to July 2023, according to local media reports citing the National Office of Investigation.

Some of the targeted defense companies were “completely unaware” before they were contacted by law enforcement, according to the South Korean statement.

The investigators also disclosed the details of some of the attacks. In November 2022, for example, Lazarus hacked the server of an unnamed defense industry company and transferred some of the “important data from the internal network, including development team employee computers,” to an overseas cloud server.

Sometime around October 2022, the Andariel group leaked defense company data by hijacking an employee account. From April to July 2023, Kimsuky stole technical data from a company by exploiting a vulnerability that allowed downloading large files via email.

The police did not name the companies that have been hacked or what data was leaked.

All of the mentioned North Korean threat actors have previously attacked critical South Korean industries. In 2021, Kimsuky breached South Korea's atomic research agency through a VPN bug. Lazarus targeted the judicial system in South Korea. 

Earlier in February, Germany and South Korea's intelligence agencies issued a joint advisory, warning of an ongoing North Korean cyber-espionage operation targeting the global defense sector. Lazarus was among the threat actors mentioned in the advisory.

In December 2023, Andariel targeted South Korean companies connected to the defense industry and stole sensitive information about anti-aircraft weapon systems.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.