North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

Lazarus, Kimsuky, and Andariel all got in on the action, stealing important data from firms responsible for defending their southern neighbors (from them).

North Koreas premiere advanced persistent threats (APTs) have been quietly spying on South Korean defense contractors for at least a year and a half, infiltrating some 10 organizations.
South Korean police this week released
the findings of an investigation
that uncovered concurrent espionage campaigns carried out by
Andariel
(aka Onyx Sleet, Silent Chollima, Plutonium),
Kimsuky
(aka APT 43, Thallium, Velvet Chollima, Black Banshee), and the broader Lazarus Group. Law enforcement did not name the victim defense organizations nor provide details on the stolen data.
The announcement comes one day after North Korea conducted its
first-ever drill simulating a nuclear counterattack
.
Few countries are so aware of cyber threats from foreign nation-states as South Korea, and few industries so aware as military and defense. And yet, Kims best
always seem to find a way
.
APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter, laments Mr. Ngoc Bui, cybersecurity expert at Menlo Security. If an APT or actor is highly motivated, there are few barriers that cant eventually be overcome.
In November 2022, for instance, Lazarus targeted a contractor which was cyber aware enough to operate separate internal and external networks. However, the hackers took advantage of their negligence in managing the system connecting the two. First, the hackers breached and infected an external network server. While defenses were down for a network test, they tunneled through the network connection system and into the innards. They then began harvesting and exfiltrating important data from six employee computers.
In another case beginning around October 2022, Andariel obtained login information belonging to an employee of a company that performed remote IT maintenance for one of the defense contractors in question. Using the hijacked account, it infected the companys servers with malware and exfiltrated data relating to defense technologies.
Police also highlighted an incident that lasted from April to July 2023, in which Kimsuky exploited the groupware email server used by one defense firms partner company. A vulnerability allowed the unauthorized attackers to download large files thatd been sent internally via email.
Of use to authorities, Bui explains, is that DPRK groups such as Lazarus frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor.
The perpetrators behind each of the defense breaches were identified thanks to the malware they deployed post-compromise — including the Nukesped and Tiger remote access Trojans (RATs) — as well as their architecture and IP addresses. Notably, some of those IPs traced to Shenyang, China, and a 2014 attack against the Korea Hydro & Nuclear Power Co.
North Koreas hacking attempts targeting defense technology are expected to continue, the Korean National Police Agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, cordon off internal from external networks, and block access to sensitive resources for unauthorized and unnecessary foreign IP addresses.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Korea APT Triumvirate Spied on South Korean Defense Industry For Years