Threat actors strike again. This time through a network weakness. A KAERI VPN vulnerability served as a way to breach the internal system at the Korea Atomic Energy Research Institute. The agency confirmed on the 18th of June a cyberattack that happened last month. The hackers were none others than the North Korean threat actors. They used a VPN flaw and managed to break into the system and hack the network.

Kimsuky APT Group Behind This KAERI VPN Vulnerability Attack

Kimsuky APT Group is a hacking organization active since 2012. They target mainly the South Korean government’s entities. They are also well-known for their activity in collecting e-mail addresses for the purpose of spear-phishing e-mails. Kimsuky was behind a new cyberattack on May 14th  that affected South Korea’s Atomic Energy Research Institute. A KAERI VPN vulnerability permitted this network breach.

However, the nature of the stolen data is not confirmed yet. The agency denied the attack in the first place when it was initially reported by Sisa Journal, the South Korean media journal. Bleeping computer states that the agency revealed and confirmed the cyberattack in a press conference on the 18th of June, apologizing for refusing to confirm the facts earlier.

How Did This Happen and What It Affected?

KAERI, known also as Korea Atomic Energy Research Institute, is the biggest nuclear research institution in South Korea that conducts research on fuel rods and different reactors topics.

A representative of the main opposition party of South Korea, by his name Ha Tae-keung declared that the KAERI VPN vulnerability permitted hackers’ access to the agency’s internal network through 13 unauthorized IP addresses. It was discovered that one of the addresses belonged to the Kimsuky threat actors’ group that is believed to be working for the North Korean Reconnaissance General Bureau which stands for North Koreas’ Intelligence organization.

Cyberattacks Unceasing and Hackers Tireless

Other security systems have been recently affected by cyberattacks, such as SonicWall, Pulse Secure, Citrix, and Fortinet FortiOS, because of some unpatched VPN systems.

Kimsuky’s new attack is not something really surprising as the hacker’s group’s actions were being observed since 2014. Their data breaches have a long history behind them.

In 2014, Kimsuky targeted the nuclear and hydroelectric utility South Korea. Then the Ministry of Unification and the South Korean police were victims of some phishing attacks in 2019. CISA, the Cybersecurity, and Infrastructure Security Agency, published a notification back in October 2020 regarding the threat represented by this hacker organization.

Kimsuky employs common social engineering tactics, spear phishing, and watering hole attacks to exfiltrate desired information from victims. Kimsuky is most likely to use spear phishing to gain initial access into victim hosts or networks. Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States. Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.


Another report published on Malwarebytes’ website analyzed and revealed how this Korean threat actors group conducted phishing attacks using the “AppleSeed” backdoor, a backdoor that is able to collect documents, machines’ keystrokes, data from media devices that are removable such as USBs or external hard drivers and make print screens. Among the South Korean targeted government agencies were also: the International Atomic Energy Agency (IAEA) Nuclear Security Officer, the Ministry of Foreign Affairs, the Republic of Korea’s 1st Secretary, and the Ministry of Foreign Affairs, the Republic of Korea 2nd Secretary.

The nuclear energy topic is of main interest for all North Korean cyber criminals as the Record claims, tracing a historical background. Anyhow, KAERI stated that they updated the VPN and fixed the issue.

South Korean Company HMM Reveals It Had Suffered a Cyberattack on Its Email Servers

North Korean Hackers Most Likely to Have Been Behind the CryptoCore Heists

North Korean Attackers Implemented the Web Skimming Method to Steal Cryptocurrency

Leave a Reply

Your email address will not be published. Required fields are marked *