gettyimagesbank

Three key hacking groups from North Korea have infiltrated about 10 South Korean defense firms over the past one and a half years in a concerted attempt to steal defense technologies, the National Police Agency (NPA) said Tuesday.

The police agency disclosed the results following an investigation conducted with the national cyber crisis management team into cyber threats shared by related government organizations.

It marks the first confirmed concerted hacking attack launched by the three notorious North Korean hacking groups — Lazarus, Andariel and Kimsuky — with the aim of stealing defense technologies from South Korean firms, the NPA said.

Since November 2022, Lazarus has hacked into the external computer server of one of the affected firms and implanted malicious codes, eventually taking control of the firm's intranet and transferring key data from six internal computers to an overseas-based cloud server.

Andariel has been stealing defense technology data from another defense firm since October 2022 by illegally obtaining email and password information from a separate firm responsible for remote maintenance and repair work for the defense firm.

Kimsuky also illegally accessed email servers of another defense technology firm and downloaded technology data between April and July last year, the NPA said.

Based on the IP addresses and malicious codes used in the attacks, including what were identified as Nukesped and Tiger RAT, as well as the methods of targeting the most vulnerable software loopholes and building route servers, the police traced the attacks back to the North Korean hacking groups.

Some of the IP addresses were traced to China's Shenyang and identified as the same addresses used in the 2014 hacking attack on the South Korean hydro power agency, Korea Hydro & Nuclear Power Co.

Police have confirmed that such attacks had continued for one and a half years until recently. However, due to the expiration of the communication log storage periods and the deletion of traces of the leaks, the exact timeframe and the full extent of the damage remained inconceivable, officials said.

The affected firms themselves had also not been aware of the attacks until the police investigation began.

"In regard to the extent of the damage, the defense ministry and the Defense Acquisition Program Administration will look into the matter thoroughly," an NPA official said, without disclosing the types of leaked technologies, citing confidentiality.

The NPA also speculated that the hacking attack may have been conducted under instructions by North Korean leader Kim Jong-un.

"In the past, it was known that Kimsuky had the role of attacking government organizations and politicians while Lazarus and Andariel had separate roles targeting financial institutions and the military and defense institutions, respectively," the official said.

"The latest investigation confirmed that the three hacking groups launched all-encompassing attacks during an overlapping period for a single purpose," the official said. (Yonhap)