Seoul accuses North Korea of stealing southern chipmakers’ designs – Source: go.theregister.com

North Korean government spies have broken into the servers of at least two chipmakers and stolen product designs as part of attempts to spur Kim Jong Un’s plans for a domestic semiconductor industry, according to Seoul’s security agency.

These digital intrusions, which began last year, have continued “until recently,” and targeted semiconductor equipment makers’ IT systems that were connected to the internet, the South Korean National Intelligence Service (NIS) warned on Monday.

After exploiting vulnerabilities to gain access — the NIS doesn’t specify which the miscreants abused — the North Korean cyberspies used “living off the land” techniques to remain hidden. This involbves using legit admin tools, rather than custom intrusion code, to blend in with normal network traffic and make their activities more difficult to detect.

“In December of last year, Company A and Company B in February of this year had their configuration management server and security policy server hacked, respectively, and product design drawings and facility site photos were stolen,” according to the alert.

The spy agency didn’t attribute the intrusions to a named North Korean-backed criminal gang. 

In addition to the attacks, the government also “believes that North Korea may have begun preparing to produce its own semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellites and missiles,” Seoul warned.

The NIS notified the victim companies and worked with them to boost their network security to stop any further attempts. It also provided details of the incidents to all South Korean semiconductor companies to alert that North Korean cybercriminals could be lurking in their servers.

• Think tank report labels NSO, Lazarus as ‘cyber mercenaries’
• North Korea running malware-laden gambling websites as-a-service
• Uncle Sam tells nosy nations to keep their hands off Americans’ personal data
• Think tank warns North Korea uses AI for battle planning, maybe using cloudy resources

Monday’s warning comes less than a month after the NIS and the German Federal Office for the Protection of the Constitution (BfV) published [PDF] a second joint warning about North Korean state-sponsored spies’ attempts to steal defense technologies from organizations around the world. This included a supply-chain attack targeting a maritime and shipping technology research center at the end of 2022 by the unnamed Nork crew.

Berlin and Seoul also highlighted Lazarus Group’s social engineering attacks used to infiltrate defense companies since at least mid-2020, dubbed “Operation Dream Job.” These scams involve using phony job offers to trick job seekers into clicking on a malicious link or opening malware-laden attachments.

ClearSky and AT&T security researchers spotted Dream Job campaigns targeting defense, government, and engineering organizations in 2020 and 2021. 

A year later, Symantec threat hunters said Lazarus was using these tactics to break into chemical sector companies’ networks and Qualys documented a similar scam targeting Lockheed Martin job applicants. ®