North Korea hacks two South Korean chip firms to steal engineering data



NIS says these attacks increased in the second half of 2023 until recently, targeting internet-exposed servers vulnerable to known flaws for initial access to corporate networks.

Once the network was breached, the threat actors stole data from servers holding sensitive documents and data.

In the cases observed by the NIS, the North Korean adversaries used "living off the land" tactics, which entails abusing legitimate software tools for malicious purposes to evade detection by security products.

The NIS mentions at least two cyberattacks on separate entities, occurring in December 2023 and February 2024, where the company's configuration management and security policy servers were hacked.

This reportedly resulted in the compromise of product design drawings and facility site photos, among other sensitive data.

The two victims aren't named in the report, but it is worth noting that South Korea is home to two leading chipmakers, Samsung Electronics and SK Hynix, who develop and produce a wide range of processor, system-on-chips, and DRAM, and NAND flash products.

According to the US Department of Commerce, Samsung Electronics and SK Hynix are responsible for 73 percent of the global DRAM market share and 51 percent of the NAND flash market. 

The two firms play critical roles in the global semiconductor supply chain, providing chips for a wide array of notable firms across various industries globally, including Apple, Google, Microsoft, Amazon, Sony, Dell, and many automotive and consumer electronic makers.

NIS reckons that these cyberattacks are aimed at collecting valuable technical information that the North Korean regime could use to develop its own chip-making program and cover military equipment needs.

"In relation to this hacking trend, the National Intelligence Service believes that North Korea may have started to prepare for its own semiconductor production due to difficulties in obtaining semiconductors because of sanctions, which affect the development of weapons such as satellites and missiles." - NIS.

The intel org says it notified the domestic victims of the cyberattacks and provided recommendations on detecting and stopping them.

An NIS official also highlighted the importance of applying security updates and strict access controls on internet-exposed servers, as well as consistently applying and updating robust authentication processes for administrators to prevent unauthorized access via hijacked privileged accounts.

North Korean hackers have a long history of targeting South Korea in cyber espionage attacks to steal data that could further their own domestic programs or agendas.

These activities have led the US government to sanction the DPRK hacking group known as 'Kimsuky,' who have been linked to a wide variety of attacks, including the the breach of South Korea's Korea Atomic Energy Research Institute.

Source: bleepingcomputer.com