North Korea’s Kimsuky Group Hacks Diehl Defence

Globally, the defense industry is a top target for sophisticated nation-state actors seeking sensitive military technology and intelligence. And as SecurityWeek reports, one of Ukraine’s biggest suppliers amidst its war with Russia just fell victim to a cyberattack.

Diehl Defence, a major German defense technology manufacturer, recently experienced a significant breach after North Korea’s Kimsuky group carried out an attack. 

The alleged intrusion highlights the targeted nature of modern cyber espionage campaigns and the social engineering tactics employed by groups like Kimsuky to infiltrate high-value organizations.

Diehl Defence & the IRIS-T System

Diehl Defence specalizies in missiles, ammunition, and defense technology, and its profile rose significantly in the 2000s due to its production of the highly effective IRIS-T air defense system.

The IRIS-T, particularly the medium-range SLM and short-range SLS variants, has proven critical in conflicts like the war in Ukraine. Supplied by Germany, these systems have remarkable success rates in intercepting Russian aircraft, drones, and missiles, playing a role in protecting Ukrainian cities and infrastructure.

Given its battlefield effectiveness and advanced technology, the technical specifications and operational details of the IRIS-T system represent highly valuable intelligence for adversaries seeking to understand or counter Western military capabilities. As such, Diehl Defence is a logical and high-priority target for espionage-focused threat actors.

Anatomy of the Kimsuky Attack: Sophisticated Spear Phishing

According to reports, the breach wasn’t a brute-force attack but a carefully orchestrated spear-phishing campaign by the Kimsuky group.

The attackers conducted detailed reconnaissance on Diehl Defence employees before launching their operation, which allowed the group to craft sophisticated phishing lures.

In the attack, the primary vector involved spear phishing emails containing fake job offers, potentially impersonating legitimate United States-based defense contractors to appear credible to Diehl Defence employees. Emails likely contained malicious attachments, such as corrupt PDF files designed to deploy malware upon opening.

Kimsuky demonstrated operational sophistication by customizing its infrastructure. The group reportedly hid their command-and-control (C&C) server behind an address referencing Uberlingen, the location of Diehl Defence in Southern Germany, likely to evade detection and appear more legitimate.

The same attack infrastructure hosted authentic-looking, German-language fake login pages mimicking major providers like Telekom and GMX. This suggests a broader objective of harvesting credentials from German users, potentially for future attacks or accessing victims’ other accounts.

While the specific data exfiltrated during the breach hasn’t been detailed publicly, the attackers’ focus on a leading missile manufacturer strongly suggests an interest in proprietary technical data related to systems like IRIS-T, alongside employee credentials or other sensitive corporate information.

The Perpetrator: Kimsuky

Kimsuky, also tracked under various names like APT43, Velvet Chollima, Emerald Sleet, and TA406, is a well-known cyber espionage group strongly linked to the North Korean government.

Unlike other North Korean groups that are heavily focused on financial theft, Kimsuky’s primary motivation is intelligence gathering. Their targets often include government entities, think tanks, research centers, universities, journalists, and defense organizations worldwide.

Kimsuky’s operations often support North Korea’s strategic objectives, including gathering information about foreign policy, nuclear capabilities, and military technologies. It’s known for persistence and sophisticated social engineering tailored to specific individuals or organizations.

Geopolitical Motivations: Why Target Diehl Defence?

North Korea’s interest in a company like Diehl Defence aligns with several potential strategic goals, including:

• Acquiring Technology: Gaining access to the design specifications, performance data, and manufacturing processes of state-of-the-art systems like IRIS-T could aid North Korea’s own missile and air defense development programs.
• Understanding Western Capabilities: Breaching a supplier for NATO countries and Ukraine provides insights into the operational capabilities and vulnerabilities of Western defense systems.
• Disruption & Sabotage: While espionage appears to be the primary motive, the access gained could potentially be leveraged for disruptive purposes in a future conflict scenario.

The Ongoing Battle Against State-Sponsored Cyber Espionage

The breach of Diehl Defence by North Korea’s Kimsuky group serves as a clear illustration of the ongoing cyber espionage threat facing the defence industry and other infrastructure sectors.

Nation-state actors possess the resources, patience, and technical skill to execute highly targeted and sophisticated attacks.

Defending against such threats requires constant vigilance, investment in advanced security technologies, robust processes, and a well-informed workforce. Security awareness training focused on recognizing the specific social engineering and spear phishing tactics used by groups like Kimsuky is indispensable in protecting sensitive national security information and proprietary technology.