North Korean cybercriminal groups Kimsuky (APT43) and Andariel (APT45) exploited a VPN software update flaw in South Korea to install malware and steal trade secrets from construction and machinery companies.

The malicious actors are believed to be operating in connection with North Korea’s nationwide industrial factories modernization project. The two groups involved, Kimsuky (APT43) and Andariel (APT45), are linked to the Lazarus Group, a threat actor that in March 2024, leveraged an undisclosed Windows vulnerability to conduct cyberattacks.

ASEC’s report shows that Kimsuky compromised a South Korean construction trade organization’s website in January 2024 by disseminating malware through trojanized installers named “NX_PRNMAN” or “TrustPKI.” These installers were signed with a certificate from Korean defense company “D2Innovation,” allowing them to bypass antivirus checks.

Upon installation, the malware captured screenshots, stole browser data, and extracted sensitive information, including GPKI certificates and SSH keys. This attack affected construction companies, public institutions, and local governments.

In April 2024, Andariel exploited a vulnerability in a domestic VPN software’s communication protocol to distribute the DoraRAT malware through fake software updates. The malware targeted construction and machinery companies, enabling the theft of large files, such as design documents.

The NCSC advises website operators at risk of state-sponsored hacking to request security inspections from Korea’s Internet & Security Agency (KISA). They recommend implementing strict software distribution approval policies and requiring administrator authentication for the final distribution stage.

Additionally, keeping software and operating systems updated, providing ongoing employee security training, and monitoring government cybersecurity advisories are crucial for preventing such attacks.

North Korean hackers are linked to numerous incidents. In June 2023, such hackers targeted JumpCloud, a US-based company that provides user/device management and authentication services.