North Korea Likely Culprit in Cyberattack on South Korea's Atomic Energy Institute

North Korea is the likely suspect behind a cyberattack on the South Korean Atomic Energy Research Institute (KAERI) last month which was caused by a vulnerability in the virtual private network (VPN) system, KAERI said in a press release on Friday.

Multiple unauthorized IP address accessed the KAERI internal network on May 14, Ha Tae-keung, a South Korean Representative and member of the parliamentary intelligence committee, said during a press conference. The think tank said it blocked the attackers' IP address and the security system was updated after the attack was discovered on May 31.

"It has been confirmed that a hacking accident occurred at the Korea Atomic Energy Research Institute and the government authorities are currently investigating," the press release said.

The institute came under criticism for previously denying the attack when the story was initially broken by South Korean news outlet Sisa Journal. KAERI apologized for the denial in the press release, where it said the comment was made by mistake as the damage had not been confirmed.

"The Korea Atomic Energy Research Institute apologizes for causing concern to the public due to this hacking incident," KAERI said in the press release.

Korean Atomic Energy Research Institute
A South Korean nuclear scientist tests a partly dismantled experimental reactor for radiation in part of at a Korea Atomic Energy Research Institute, on Sept. 10, 2004 in Seoul, South Korea. South Korea admitted that its scientists extracted a small amount of plutonium, a key ingredient for making nuclear bombs, in secret research in the early 1980s. The admission came just one week after the country said its scientists had conducted unauthorized experiments to enrich uranium, which is also used to build nuclear weapons. Chung Sung-Jun/Getty Images

One of the IP addresses was tracked through an analysis back to the infamous North Korean cyber espionage group Kimsuky, according to the institute and Ha.

"If the state's key technologies on nuclear energy have been leaked to North Korea, it could be the country's biggest security breach, almost the same level as a hacking attack by the North into the defense ministry in 2016," Ha said during the press conference.

The analysis was performed by Seoul-based cybersecurity firm IssueMakersLab on Thursday. The address traced back to Kimsuky was confirmed to be the same address that targeted COVID-19 vaccine developers in South Korea last year.

"Kimsuky is a hacking group that was identified in 2011. We have been watching their consistent hacking attempts on South Korean government-related agencies and several companies," Simon Choi, head of IssueMakersLab, told ABC News.

According to the U.S. Cybersecurity and Infrastructure Agency (CISA), "Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions." CISA also noted Kimsuky specifically targets think tanks and South Korean government entities.

Kimsuky's most well known cyberattack occurred in 2014, when it successfully hacked into Korea Hydro & Nuclear Power Company, which operates large nuclear and hydroelectric plants in South Korea. The power company supplies over 34 percent of the country's total power.

In 2019, the U.S. Treasury Department sanctioned three North Korean hacking groups believed to be connected with the North Korean government, Lazarus Group, Bluenoroff and Andarielcyber, for "cyber attacks to support illicit weapon and missile programs."