"Local Development" Kim Jong-un's Order Issued... Kim Su-ki Launches Attack in Construction Sector

Counterintelligence authorities have issued a joint security advisory warning of the possibility of technology theft by North Korean hacking groups targeting the domestic construction and machinery sectors.

According to the National Cybersecurity Center on the 5th, the 'Cybersecurity Information Community,' which includes the National Intelligence Service, the Prosecutor's Office, the National Police Agency, the Defense Counterintelligence Command, and the Cyber Operations Command, stated in the joint security advisory released that day, "We have confirmed a sharp increase in hacking attacks targeting construction and machinery organizations and local government officials compared to the previous year," and "It is estimated that North Korea will use the stolen data on South Korea's construction, machinery, and urban development sectors for industrial factory construction and regional development plans."

North Korean-backed hacking group

In particular, the advisory identified the hacking activities as being conducted by the North Korean Reconnaissance General Bureau-affiliated hacking groups KimSooki and Andariel, warning that "It is unusual for hacking groups under the Reconnaissance General Bureau to simultaneously focus attacks on specific sectors to achieve the same policy objectives."

The North Korean hacking group KimSooki distributed malware through the website of a professional organization in South Korea's construction sector in January this year. The malware was hidden within security authentication software used for website login, resulting in the infection of PCs belonging to local governments, public institutions, and construction companies accessing the website. Investigations revealed meticulous preparation, including the prior theft of valid digital certificates, signing tampered software files, and distributing them alongside legitimate security authentication software.

In April, another North Korean hacking group, Andariel, launched an attack. Exploiting vulnerabilities in domestic information security software, they replaced and executed update files with malware, distributing remote control malware (DoraRAT) to construction and machinery companies. The remote control malware used in the attack was designed to be simple and lightweight, capable of file upload/download and command execution. Additionally, 'file-theft type malware' capable of stealing large volumes of files from infected PCs was also identified.

The Information Community estimated that North Korea used the hacking of construction sector officials by KimSooki as a foothold to attempt to steal key construction project information and technical data from construction companies involved in the projects. They pointed out that these incidents occurred due to vulnerabilities in websites and information security software rather than individual carelessness, emphasizing that "As North Korea is expected to continuously target vulnerabilities in services and products, efforts by organizational members and IT (Information Technology) and security personnel to mitigate damage are crucial."

Analysis suggests that hacking attempts against domestic construction and machinery organizations are closely related to North Korea's industrial policies. In January this year, North Korean Supreme Leader Kim Jong-un presented the so-called 'Regional Development 20×10 Policy' at the Supreme People's Assembly, stating that "An important issue in improving people's lives is overcoming the differences between the capital and provinces and regional imbalances." Since then, North Korea has been promoting the construction of modernized industrial factories in 20 cities and counties annually.

Meanwhile, the Cybersecurity Information Community was launched in July last year to establish a close cooperative system among related agencies aimed at deterring illegal cyber activities by international and state-backed hacking groups. Its main missions include ▲joint disclosure of major attack methods used by international and state-backed hacking groups ▲legal actions such as public warrants and prosecutions against cyber threats ▲and securing deterrence and countermeasures against illegal activities.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.