North Korean state-sponsored hacking groups, including Kimsuky (APT43) and Andariel (APT45), have significantly increased cyberattacks on South Korean construction and machinery sectors.
This surge aligns with Kim Jong-un’s “Local Development 20×10 Policy,” aimed at modernizing industrial facilities across North Korea.
In response, South Korea’s National Cyber Security Center (NCSC) and intelligence agencies have issued a comprehensive joint cybersecurity advisory, in which they urged that North Korean hackers have been exploiting VPN update flaws to breach networks.
Not only that, but they also detailed several other important things. The advisory aims to help organizations prevent and mitigate potential damage, as stolen data could be used to advance North Korea’s industrial and urban development plans.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
There were two cases were highlighted and they are:-
In January 2024, the Kimsuky group of North Korea carried out a complex supply chain attack on a South Korean construction industry website.
The hackers attacked the security authentication software and hijacked the NX_PRNMAN system.
This malware, called “TrollAgent,” which was coded in Go, infected the PCs of government employees, public institutions, and construction professionals who accessed the compromised site of security authentication software.
To work without detection, TrollAgent collected information about systems, capturing them via screenshots, and downloading all sorts of sensitive data including passwords from browsers’ memory locations, GPKI certificates, SSH keys, and even FileZilla’s client services.
The cyber attackers used a real digital certificate from “D2Innovation” which allowed them to evade some security checks.
Such occurrences are significant as the complexity and detailed nature of North Korean cyber operations against South Korea’s infrastructure sectors increases.
In April 2024, Andariel, a North Korean hacking group, perpetuated a complex attack against South Korean construction and machinery firms by exploiting the loopholes in local VPNs and server security software.
It took advantage of holes in client-server communication protocols that focused on update activities lacking enough authentication procedures.
Apart from this, Andariel’s method involved:-
These attacks enabled Andariel to gain remote control over infected machines and indicated the changing strategies behind North Korea’s cyber campaigns and how South Korea’s industrial infrastructure must be properly strengthened.
Here below we have mentioned all the mitigations:-
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…