Integrated security company ESTsecurity (CEO Jung Jin-il) has detected multiple signs of cyber threats targeting South Korean defense industry companies amid ongoing Korea-US joint military exercises, and has warned related companies to take special care as the risk level increases daily.

The attack signs were first detected on the 22nd when the Korea-US joint exercises began, and at that time, they were discovered in the form of masquerading as a computer IP and MAC address lookup program. When the file is executed, it appears to output the actual network information of the computer, but secretly implants a malicious DLL module with backdoor functionality in the background to collect internal information and attempt external theft.

ESTsecurity's Security Response Center (ESRC) recognized after first detecting the attack that similar irregular attacks were continuing to increase, and analysis showed that they were all exchanging malicious commands with the same IP address located in the US (216.189.154[.]6).

The attackers, who initially disguised themselves as network programs with EXE file extensions, then resumed their scripting (JSE, VBS) attack methods by adding dual extensions to make them appear like PDF or XLSM documents, after judging the effect of their previous attacks to be insufficient. Additional tactics employed included PIF file extensions, which often appear as shortcut (LNK) icons.

The threats detected this time almost all share the same malicious pattern and it is notable that internal documents and expressions related to domestic defense companies have been used as bait for attacks. In particular, some of the normal files shown immediately after the execution of the malicious files were found encrypted with a domestic document security solution (DRM), leading to calls for a thorough investigation by the authorities, as there are concerns that internal materials already stolen may have been recycled for subsequent attacks.

The ESRC, upon investigating the attack, revealed that it is an extension of the so-called "Blue Estimate" Advanced Persistent Threat (APT) campaign, which has been persistently attacking the defense sector, defense industry companies, coronavirus research pharmaceutical companies, and Bitcoin exchanges for years, and it is widely known that North Korea's Reconnaissance General Bureau is behind this attack.

Meanwhile, phishing addresses manipulated to look like internal network login services for defense industry companies were also discovered. The attackers created them to mimic the real website's design closely. However, upon closer inspection, there are clear differences from the legitimate sites, and especially a close look at the official URL address can help determine its authenticity.

An official from ESTsecurity's ESRC stated, "Amid the ongoing Korea-US joint military exercises, North Korea's cyber threats targeting domestic defense industry companies are becoming increasingly bold and heightened," and added, "Civilian experts in the defense sector should be aware that they can always be exposed to North Korea’s cyber threats and need to maintain a thorough cyber security posture at all times."

ESTsecurity has urgently updated its ALYac product with detection capabilities for the newly discovered malicious files and is closely collaborating with relevant ministries including the Korea Internet & Security Agency (KISA) to take measures to prevent further damage.