A North Korean cyber hacking group breached the security of a South Korean state-run nuclear research institute’s computer network last month, a South Korean opposition lawmaker alleged Friday.
“According to Rep. Ha Tae-keung of the main opposition [conservative] People Power Party, 13 external Internet Protocol (IP) addresses were found to have breached the internal network of the Korea Atomic Energy Research Institute (KAERI) on May 14,” South Korea’s Yonhap News Agency reported June 18.
Ha claimed, “Some of the [IP] addresses were traced back to hacking servers of ‘kimsuky,’ a North Korean cyberespionage group,” according to Yonhap.
The legislator cited “data analysis done by Seoul-based IssueMakersLab, an expert group of malware analysts,” to support his theory that North Korea’s Kimsuky group was responsible for the hacking, according to Pulse News, the English web edition of South Korea’s Maeli Business Newspaper.
“[S]ome of the IP addresses that breached the KAERI network were found to have used the email address of Moon Chung-in, a former special foreign policy adviser to [current South Korean] President Moon Jae-in,” Ha further claimed on Friday.
Moon Chung-in’s email account was reportedly hacked in 2018 while President Moon was already serving as South Korea’s president, according to Yonhap.
“The presidential office failed to track down the attacker at the time, but in 2020, a local cybersecurity firm reported that ‘kimsuky’ apparently distributed phishing emails targeting the former adviser,” the news agency noted.
Speaking at Friday’s press conference, which took place at South Korea’s National Assembly, or national legislature, building, Ha claimed that KAERI “initially tried to cover up” the cybersecurity breach on May 14, telling Ha’s office “the incident did not take place.”
“Ha called on the [South Korean] government to probe the case, pointing out that the administration [of left-wing President Moon Jae-in] has been hesitant to admit North Korea’s cyberattacks,” according to Yonhap.
Despite KAERI’s alleged denial of the cyber hacking, the South Korean government-run entity “admitted” on June 18, shortly after Ha’s press conference, that “its internal network was indeed breached [on May 14] but added that it was still investigating who the culprit was and whether its data was actually stolen,” according to Yonhap.
The South Korean news agency describes Kimsuky as a known unit within North Korea’s Reconnaissance General Bureau, which serves as the nation’s military intelligence agency.
“The group is believed to be behind the cyber breach of manufacturers of COVID-19 [Chinese coronavirus] vaccines and treatments, including Britain-based AstraZeneca and South Korea’s Celltrion, last year,” Yonhap reported on June 18.
“The Kimsuky APT [advanced persistent threat] group has most likely been operating since 2012,” the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) wrote in an advisory published in October 2020.
“Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission [and] … conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States,” according to CISA.
“Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions,” the U.S. Department of Homeland Security agency wrote in its report.