ESTsecurity, during the US-Korea joint military exercise period, North Korean hacking groups signal a red alert targeting the defense industry.
ESTsecurity, during the US-Korea joint military exercise period, North Korean hacking groups signal a red alert targeting the defense industry.
ESTsecurity, during the US-Korea joint military exercise period, North Korean hacking groups signal a red alert targeting the defense industry.
ESTsecurity, during the US-Korea joint military exercise period, North Korean hacking groups signal a red alert targeting the defense industry.
broad
2022. 8. 25.
22. 8. 25.
A bold cyber attack is underway, disguised as actual purchase orders or DRM documents for domestic security products
A bold cyber attack is underway, disguised as actual purchase orders or DRM documents for domestic security products
A bold cyber attack is underway, disguised as actual purchase orders or DRM documents for domestic security products
A bold cyber attack is underway, disguised as actual purchase orders or DRM documents for domestic security products
Integrated security company ESTsecurity (CEO Jung Jin-il) has detected multiple signs of cyber threats targeting South Korean defense industry companies amid ongoing Korea-US joint military exercises, and has warned related companies to take special care as the risk level increases daily.
The attack signs were first detected on the 22nd when the Korea-US joint exercises began, and at that time, they were discovered in the form of masquerading as a computer IP and MAC address lookup program. When the file is executed, it appears to output the actual network information of the computer, but secretly implants a malicious DLL module with backdoor functionality in the background to collect internal information and attempt external theft.
ESTsecurity's Security Response Center (ESRC) recognized after first detecting the attack that similar irregular attacks were continuing to increase, and analysis showed that they were all exchanging malicious commands with the same IP address located in the US (216.189.154[.]6).
The attackers, who initially disguised themselves as network programs with EXE file extensions, then resumed their scripting (JSE, VBS) attack methods by adding dual extensions to make them appear like PDF or XLSM documents, after judging the effect of their previous attacks to be insufficient. Additional tactics employed included PIF file extensions, which often appear as shortcut (LNK) icons.
The threats detected this time almost all share the same malicious pattern and it is notable that internal documents and expressions related to domestic defense companies have been used as bait for attacks. In particular, some of the normal files shown immediately after the execution of the malicious files were found encrypted with a domestic document security solution (DRM), leading to calls for a thorough investigation by the authorities, as there are concerns that internal materials already stolen may have been recycled for subsequent attacks.
The ESRC, upon investigating the attack, revealed that it is an extension of the so-called "Blue Estimate" Advanced Persistent Threat (APT) campaign, which has been persistently attacking the defense sector, defense industry companies, coronavirus research pharmaceutical companies, and Bitcoin exchanges for years, and it is widely known that North Korea's Reconnaissance General Bureau is behind this attack.
Meanwhile, phishing addresses manipulated to look like internal network login services for defense industry companies were also discovered. The attackers created them to mimic the real website's design closely. However, upon closer inspection, there are clear differences from the legitimate sites, and especially a close look at the official URL address can help determine its authenticity.
An official from ESTsecurity's ESRC stated, "Amid the ongoing Korea-US joint military exercises, North Korea's cyber threats targeting domestic defense industry companies are becoming increasingly bold and heightened," and added, "Civilian experts in the defense sector should be aware that they can always be exposed to North Korea’s cyber threats and need to maintain a thorough cyber security posture at all times."
ESTsecurity has urgently updated its ALYac product with detection capabilities for the newly discovered malicious files and is closely collaborating with relevant ministries including the Korea Internet & Security Agency (KISA) to take measures to prevent further damage.
Integrated security company ESTsecurity (CEO Jung Jin-il) has detected multiple signs of cyber threats targeting South Korean defense industry companies amid ongoing Korea-US joint military exercises, and has warned related companies to take special care as the risk level increases daily.
The attack signs were first detected on the 22nd when the Korea-US joint exercises began, and at that time, they were discovered in the form of masquerading as a computer IP and MAC address lookup program. When the file is executed, it appears to output the actual network information of the computer, but secretly implants a malicious DLL module with backdoor functionality in the background to collect internal information and attempt external theft.
ESTsecurity's Security Response Center (ESRC) recognized after first detecting the attack that similar irregular attacks were continuing to increase, and analysis showed that they were all exchanging malicious commands with the same IP address located in the US (216.189.154[.]6).
The attackers, who initially disguised themselves as network programs with EXE file extensions, then resumed their scripting (JSE, VBS) attack methods by adding dual extensions to make them appear like PDF or XLSM documents, after judging the effect of their previous attacks to be insufficient. Additional tactics employed included PIF file extensions, which often appear as shortcut (LNK) icons.
The threats detected this time almost all share the same malicious pattern and it is notable that internal documents and expressions related to domestic defense companies have been used as bait for attacks. In particular, some of the normal files shown immediately after the execution of the malicious files were found encrypted with a domestic document security solution (DRM), leading to calls for a thorough investigation by the authorities, as there are concerns that internal materials already stolen may have been recycled for subsequent attacks.
The ESRC, upon investigating the attack, revealed that it is an extension of the so-called "Blue Estimate" Advanced Persistent Threat (APT) campaign, which has been persistently attacking the defense sector, defense industry companies, coronavirus research pharmaceutical companies, and Bitcoin exchanges for years, and it is widely known that North Korea's Reconnaissance General Bureau is behind this attack.
Meanwhile, phishing addresses manipulated to look like internal network login services for defense industry companies were also discovered. The attackers created them to mimic the real website's design closely. However, upon closer inspection, there are clear differences from the legitimate sites, and especially a close look at the official URL address can help determine its authenticity.
An official from ESTsecurity's ESRC stated, "Amid the ongoing Korea-US joint military exercises, North Korea's cyber threats targeting domestic defense industry companies are becoming increasingly bold and heightened," and added, "Civilian experts in the defense sector should be aware that they can always be exposed to North Korea’s cyber threats and need to maintain a thorough cyber security posture at all times."
ESTsecurity has urgently updated its ALYac product with detection capabilities for the newly discovered malicious files and is closely collaborating with relevant ministries including the Korea Internet & Security Agency (KISA) to take measures to prevent further damage.
Integrated security company ESTsecurity (CEO Jung Jin-il) has detected multiple signs of cyber threats targeting South Korean defense industry companies amid ongoing Korea-US joint military exercises, and has warned related companies to take special care as the risk level increases daily.
The attack signs were first detected on the 22nd when the Korea-US joint exercises began, and at that time, they were discovered in the form of masquerading as a computer IP and MAC address lookup program. When the file is executed, it appears to output the actual network information of the computer, but secretly implants a malicious DLL module with backdoor functionality in the background to collect internal information and attempt external theft.
ESTsecurity's Security Response Center (ESRC) recognized after first detecting the attack that similar irregular attacks were continuing to increase, and analysis showed that they were all exchanging malicious commands with the same IP address located in the US (216.189.154[.]6).
The attackers, who initially disguised themselves as network programs with EXE file extensions, then resumed their scripting (JSE, VBS) attack methods by adding dual extensions to make them appear like PDF or XLSM documents, after judging the effect of their previous attacks to be insufficient. Additional tactics employed included PIF file extensions, which often appear as shortcut (LNK) icons.
The threats detected this time almost all share the same malicious pattern and it is notable that internal documents and expressions related to domestic defense companies have been used as bait for attacks. In particular, some of the normal files shown immediately after the execution of the malicious files were found encrypted with a domestic document security solution (DRM), leading to calls for a thorough investigation by the authorities, as there are concerns that internal materials already stolen may have been recycled for subsequent attacks.
The ESRC, upon investigating the attack, revealed that it is an extension of the so-called "Blue Estimate" Advanced Persistent Threat (APT) campaign, which has been persistently attacking the defense sector, defense industry companies, coronavirus research pharmaceutical companies, and Bitcoin exchanges for years, and it is widely known that North Korea's Reconnaissance General Bureau is behind this attack.
Meanwhile, phishing addresses manipulated to look like internal network login services for defense industry companies were also discovered. The attackers created them to mimic the real website's design closely. However, upon closer inspection, there are clear differences from the legitimate sites, and especially a close look at the official URL address can help determine its authenticity.
An official from ESTsecurity's ESRC stated, "Amid the ongoing Korea-US joint military exercises, North Korea's cyber threats targeting domestic defense industry companies are becoming increasingly bold and heightened," and added, "Civilian experts in the defense sector should be aware that they can always be exposed to North Korea’s cyber threats and need to maintain a thorough cyber security posture at all times."
ESTsecurity has urgently updated its ALYac product with detection capabilities for the newly discovered malicious files and is closely collaborating with relevant ministries including the Korea Internet & Security Agency (KISA) to take measures to prevent further damage.
WE WORK WITH AI
We believe that AI makes the world more convenient and safer
1.
Senior care with AI
AI senior care service that takes responsibility for seniors' Fun and cognitive enhancement with AI human technology
2.
Education with AI
Celebrity instructor video lecture creation, TOEIC speaking education content production, as a fitness training instructor
Expansion of educational businesses in various fields such as AI content
3.
Content with AI
Implementing 'moving pictures' with EST AI technology, 'face transformation, makeup application, and clothing creation' through deep learning
Creating and utilizing various AI human content such as new employee analysts, announcers, etc.
4.
API business with AI
Companies can focus on their inherent customer value by providing data and solutions using AI
as an API.
5.
Software with AI
Background removal technology applied in ALSee Capture, like the smooth design of ESTsoft AI technology and ALTools products,
provides the utility environment that users want.
WE WORK WITH AI
We believe that AI makes
the world more convenient
and safer
1.
Senior care with AI
AI senior care service that takes responsibility for seniors' Fun and cognitive enhancement with AI human technology
2.
Education with AI
Celebrity instructor video lecture creation, TOEIC speaking education content production, as a fitness training instructor
Expansion of educational businesses in various fields such as AI content
3.
Content with AI
Implementing 'moving pictures' with EST AI technology, 'face transformation, makeup application, and clothing creation' through deep learning
Creating and utilizing various AI human content such as new employee analysts, announcers, etc.
4.
API business with AI
We provide data and solutions utilizing AI through APIs to enable companies to focus on their inherent customer value.
5.
Software with AI
Background removal technology applied in ALSee Capture, like the smooth design of ESTsoft AI technology and ALTools products,
provides the utility environment that users want.
WE WORK WITH AI
We believe that AI makes the world more convenient and safer
1.
Senior care with AI
AI senior care service that takes responsibility for seniors' Fun and cognitive enhancement with AI human technology
2.
Education with AI
Celebrity instructor video lecture creation, TOEIC speaking education content production, as a fitness training instructor
Expansion of educational businesses in various fields such as AI content
3.
Content with AI
Implementing 'moving pictures' by applying EST AI technology, producing various AI human contents such as 'face transformation, makeup application, and clothing creation' for new employees including analysts and announcers, and utilizing them
4.
API business with AI
Companies can focus on their inherent customer value by providing data and solutions using AI
as an API.
5.
Software with AI
Background removal technology applied in ALSee Capture, like the smooth design of ESTsoft AI technology and ALTools products,
provides the utility environment that users want.
WE WORK WITH AI
We believe that AI makes the world more convenient and safer
1.
Senior care with AI
AI senior care service that takes responsibility for seniors' Fun and cognitive enhancement with AI human technology
2.
Education with AI
Expansion of educational businesses in various fields, such as the establishment of celebrity lecture video courses, production of TOEIC speaking educational content, and AI content as a fitness training instructor
3.
Content with AI
Implementing 'moving pictures' with EST AI technology, 'face transformation, makeup application, and clothing creation' through deep learning
Creating and utilizing various AI human content such as new employee analysts, announcers, etc.
4.
API business with AI
We provide data and solutions utilizing AI through APIs to enable companies to focus on their intrinsic customer value.
5.
Software with AI
Background removal technology applied in ALSee Capture, like the smooth design of ESTsoft AI technology and ALTools products,
provides the utility environment that users want.
LET'S Connect
We collaborate with ambitious brands and people around the world.
To learn more about creating digital experiences that effectively reach and engage customers and target audiences, please contact us.
Download Company Brochure
CEO: Sangwon Jung
Business Registration Number 229-81-03214 Mail-Order Business Notification Number 2011-Seoul Seocho-1962
EST Building, 3 Banpo-daero, Seocho-gu, Seoul (Postal Code)06711
Family Site
ⓒ EST. 2024
LET'S Connect
We collaborate with ambitious brands and people around the world.
To learn more about creating digital experiences that effectively reach and engage customers and target audiences, please contact us.
Download Company Brochure
CEO: Sangwon Jung
Business Registration Number 229-81-03214 Mail-Order Business Notification Number 2011-Seoul Seocho-1962
EST Building, 3 Banpo-daero, Seocho-gu, Seoul (Postal Code)06711
Family Site
ⓒ EST. 2024
LET'S Connect
We collaborate with ambitious brands and people around the world.
To learn more about creating digital experiences that effectively reach and engage customers and target audiences, please contact us.
Download Company Brochure
CEO: Sangwon Jung
Business Registration Number 229-81-03214 Mail-Order Business Notification Number 2011-Seoul Seocho-1962
EST Building, 3 Banpo-daero, Seocho-gu, Seoul (Postal Code)06711
Family Site
ⓒ EST. 2024
LET'S Connect
We collaborate with ambitious brands and people around the world.
To learn more about creating digital experiences that effectively reach and engage customers and target audiences, please contact us.
Download Company Brochure
CEO: Sangwon Jung
Business Registration Number 229-81-03214 Mail-Order Business Notification Number 2011-Seoul Seocho-1962
EST Building, 3 Banpo-daero, Seocho-gu, Seoul (Postal Code)06711
Family Site
ⓒ EST. 2024