The Korean Atomic Energy Research Institute (KAERI) was attacked after threat actors exploited a VPN vulnerability. KAERI is a government-sponsored organization for the research and application of nuclear power.

In an odd series of events, KAERI initially confirmed, then denied the attack happened. They’ve since apologized for trying to cover up the incident.

The attack took place on June 14th and logs show thirteen different unauthorized IP addresses gained access to KAERI’s network through the vulnerable VPN.

In what we can assume to be a targeted attack, one of the IP addresses is linked to a North Korean state-sponsored threat group by the name of Kimsuky. This group allegedly works under the North Korean Reconnaissance General Bureau intelligence agency.

Late last year, CISA issued a warning on the Kimsuky threat group stating they are “likely tasked by the North Korean regime with a global intelligence gathering mission”. An attack on a nuclear research facility seemingly proves CISA was correct about their assumption as most threat groups usually aren’t targeting nuclear research facilities for strictly financial gain. According to reports from other security researchers, lures were titled with connection to foreign affairs and proves that this facility was a high-priority target.

KAERI is still investigating exactly what happened in the attack and what information was accessed.

This attack on a nuclear facility follows a REvil ransomware attack on a U.S. nuclear weapons facility, Sol Oriens, in May. This is evidence of threat actors taking advantage of any opportunity that comes their way. Consequences of the attack are not in mind when threat actors attempt to steal intelligence, data, or money from organizations.

Since opportunity is what allows threat actors to be successful, ensure they don’t have any opportunities. Assess the weak points and vulnerabilities in your organization and improve upon them. If nobody is actively testing your defenses, your organization could be a sitting duck.

Ransomware is a growing problem and threat actors running the operations are sophisticated. It only takes one vulnerability to take down an entire organization for weeks. Be proactive in defending against cyber threats with SpearTip.

Our engineers work 24/7/365 to be able to defend against threats for our partners at any time in the day.  Working in tandem with our ShadowSpear platform, endpoints are protected and networks are continuously monitored through our Security Operations Center as a Service.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.