South Korea's National Intelligence Service, the Prosecutors' Office, the National Police Agency, the Defense Security Command, and the Cyber Operations Command, have issued a joint cybersecurity advisory to warn about the increasing cyber threats posed by North Korean hacking groups targeting the country's construction and machinery sectors.
The advisory describes attacks by the Kimsuky (also known as Ruby Sleet, APT43, Velvet Chollima) and Andariel (also known as Dark Seoul, Silent Chollima, Onyx Sleet) hacking groups under the Reconnaissance General Bureau of North Korea. It details techniques, and procedures (TTPs) and indicators of compromise (IoCs) used in the attacks.
The agencies also highlight the connection between these cyberattacks and North Korea's strategic goals, particularly the “20x10 Local Development Policy” announced by Kim Jong-un during the 14 session of the 10 Supreme People's Assembly on January 15, 2024. The policy aims to modernize industrial plants in 20 cities and counties annually, driving intense competition among North Korean Party, military, and government entities to fulfill this vision.
In the Kimsuky campaign spotted in January 2024, the threat actor targeted professional associations in the construction sector. The attackers distributed malware through a compromised security authentication software on a professional association's website. The malware infected the computers of officials from local governments, public institutions, and construction companies who logged into the site.
The attackers employed a combination of supply chain attacks and watering hole attacks. They exploited a file upload vulnerability on the website to alter one of the five essential security authentication software programs required for login. The modified software, disguised as legitimate, was signed with a stolen digital certificate, enabling it to bypass some web browsers and antivirus detections.
Once executed, the malware, dubbed TrollAgent, collected system information, captured user screens, and harvested browser-stored credentials, cookies, bookmarks, and histories. It also stole GPKI certificates, SSH keys, Sticky Notes, and FileZilla information from infected PCs.
In another campaign, which was discovered in April and was attributed to the Andariel APT, the hackers leveraged vulnerabilities in VPN and server security software to launch attacks against machinery and construction companies. They replaced legitimate update files with remote access malware (DoraRAT) by exploiting weak authentication protocols during the update process.
The attack began with the hackers sending spoofed communication packets from a legitimate server to the victim's computer. The VPN client on the machine, failing to verify the packet's authenticity, requested an update file from the attacker's command-and-control (C2) server. The file contained remote access malware that enabled the attackers to upload and download files, execute commands, and conduct further malicious activities.
Additionally, the the threat actor deployed a file-stealing malware capable of exfiltrating large files, such as machinery and equipment design diagrams. The Andariel group also exploited vulnerabilities in server security products to gain elevated system access and control, highlighting their focus on exploiting IT management software vulnerabilities for mass infections.