North Korea stole F-15 blueprints and 42,000 defense-related documents from South Korea

140,000 computers at defense contractor firms and government agencies said to have been targeted.

North Korea stole F-15 blueprints and 42,000 defense-related documents from South Korea

South Korea appears to have been hacked once again by its northern rival, and thousands of defense-related documents have been stolen.

According to claims by South Korea's police cyber investigation unit, the attack from North Korea began to target 140,000 computers at defense contractor firms and government agencies back in 2014, but was only unearthed in February this year.

South Korean police say they believe that North Korea was either planning a major internet attack, or running a long term campaign to steal as much information as possible:

"There is a high possibility that the North aimed to cause confusion on a national scale by launching a simultaneous attack after securing many targets of cyber terror, or intended to continuously steal industrial and military secrets."

According to a Reuters report, corporate victims of the hacking attack have included companies in the SK Holdings group and Korean Air Lines, although they say that they closed the breaches quickly and any leaked files were not classified.

95% of the stolen material seized by the hackers is said to be defense-related, and most recently, documents stolen have included blueprints for the wings of F-15 fighter jets.

Even though North Korea has always denied any involvement in past hacking atttacks, investigators claim that the campaign originated from the North Korean capital of Pyongyang. Interestingly, the traced IP address originating the hacking is said to be identical to the so-called "Dark Seoul" cyber-attack against South Korean banks and broadcasters in 2013.

Darkseoul

Network management software widely used by government agencies and private companies have been targeted in this latest attack.

Although accurately attributing internet attacks is notoriously difficult, North Korea has often been blamed for launching internet attacks - including the assault that froze parts of South Korea’s banking infrastructure in 2013, the infamous attack against Sony Pictures in 2014, and the recent attack against the Bangladesh central bank.

Sony attack

Although North Korea's internet attack capability may be considerable, and no country would be wise to treat it less than seriously, we should also be careful not to believe too quickly some of the hyperbole that has previously seen claims that North Korean hackers could kill and "destroy cities".

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

4 Responses

  1. Murray Parkinson

    June 15, 2016 at 1:09 am #

    I'll bet China is somewhere behind this. At least China & Russie will be th most likely to purchase the info stolen. Not much North Korea could do with info on fighter jets, other than sell it.

  2. John Lewis

    June 15, 2016 at 10:16 am #

    State sponsored APT attacks against defence contractors and their supply chains have been going on for years and many have been successful. Once your systems have been breached it is almost impossible (very expensive) to assure that they are clean and not open to a lurking threat.

  3. MeMyselfandI

    June 16, 2016 at 6:23 am #

    I have but one question, Why would S. Korea have these documents on a computer that is connected to the internet? The best way to stop a hacker is to not have a computer with classified information on it connected to the internet.

    • Richard in reply to MeMyselfandI.

      June 16, 2016 at 3:24 pm #

      The host that the data was on is very unlikely to have been 'connected' to the Internet. However, is it likely that the target host was on a connected network or at least 'reachable' from another host that was available to attack from the Internet. Once the attacker was on the inside, it's fairly trivial for them to move laterally through the network looking for loot of interest. Remember also, that the attack could easily also have started with a socially engineered attack like a well-crafted Phishing mail. Malicious links could then have allowed malware to propagate through the network opening up backdoors to the attackers. Furthermore, there are many other vectors like compromised mobile devices or compromised insiders that could have enabled the breach too…

Leave a Reply