North Korean hackers strike again

North Korean hackers stole over 42,000 documents, mostly defense-related, after breaking into the networks of South Korean conglomerates such as SK Group and Hanjin Group, the National Police Agency revealed Monday.

The agency concluded from its investigation that North Korea began hacking the networks in July 2014 and continued for over a year and a half until February, gaining access to over 130,000 computers. Police said North Korea took advantage of security vulnerabilities in the networks and siphoned a total of 42,608 documents.

This included those from 17 affiliates of SK Group, including SK Networks, and 10 affiliates of Hanjin Group, including Korean Air.

The materials Pyongyang’s obtained from the long-term penetration of these networks included photos of South Korea’s medium-altitude unmanned aerial vehicle, blueprints for the wings of the U.S. F-15 fighter jet, as well as maintenance manuals, and various materials related to research and development projects.

SK Networks said its stolen materials included data on the communications network in army barracks. The compromised material included 958 defense-related documents and 5,162 industry-related documents from SK Group and 32,913 defense-related items from Hanjin. KT also had 3,575 documents taken but the attack on its network was thwarted early on.

Police and defense officials denied that any top-secret information that could pose a security threat was taken by Pyongyang.

Other key data, such as the interior blueprint of the UAV or blueprints to the more advanced F-15K fighters, was not taken, police emphasized.

However, what could have been Pyongyang’s largest-scale cyberattack on Korea was thwarted as South Korean police began an investigation in February after suspecting malicious codes to have been distributed by Pyongyang, which conducted its fourth nuclear test in January.

The agency concluded that North Korean hackers affiliated with its Reconnaissance General Bureau used an IP address traced to Pyongyang’s Ryugyong-dong to attack the two major conglomerates.

It added that the IP address was identical to the one Pyongyang used in the March 20, 2013 cyberattack against South Korean financial institutes and media.

There were attempts to attack about 20 such locations using this system, but these were not breached as there was a security program update to prevent future attempts of hacking though this method.

BY SARAH KIM [kim.sarah@joongang.co.kr]