A South Korean nuclear power research organization, Korea Atomic Energy Research Institute (KAERI), has admitted that it was investigating a breach that they suspect is the work of North Korean state-sponsored threat actor Kimsuky, which has been around since 2012. The attack happened on May 14th and was the result of an unpatched vulnerability in the VPN for the organization. An outside investigation determined that one of the 13 IP addresses used to attack the organization was traced back to Kimsuky. The organization is still investigating the breach but has blocked the IP addresses and patched the vulnerability.
Analyst Notes
Vulnerabilities that are left unpatched within systems are constantly being exploited by threat actors. These attacks can even come years after a vulnerability is released. It is important that whenever patches are released for a system as public-facing and critical as a VPN or other remote access server, that they are tested and deployed as quickly as possible. Companies should also utilize a monitoring service such as Binary Defense’s Managed Detection and Response to monitor for any unusual behavior that could be occurring because of an attack. Blocking attackers by IP address is usually not an effective solution on its own, because it is quite simple for attackers to switch to a different IP address by leasing a new server, using a proxy server, or just getting a new IP address assigned to a server they already use.
More can be read here: https://www.infosecurity-magazine.com/news/nuclear-research-institute/
