Hyundai Merchant Marine (HMM) was targeted in a prolonged cyber-espionage campaign from April 2010 to 2013 by North Korean attackers using the Icefog (Fucobha) backdoor. The attack, part of the Kimsuky APT group, relied on spear-phishing and exploits of known vulnerabilities to infiltrate the company’s systems. The attackers maintained persistent access for months to years, continuously exfiltrating sensitive data, including documents, email credentials, and network access passwords. The campaign focused on data theft, compromising the supply chain and targeting entities like government institutions, military contractors, maritime/shipbuilding groups, telecom operators, satellite operators, and high-tech firms. HMM, a key player in global shipping, faced long-term intelligence extraction, risking operational secrets, proprietary maritime data, and potential disruptions to logistics networks. The attack’s stealthy nature allowed sustained espionage, posing strategic risks to corporate and national security while undermining trust in critical infrastructure.
Source: https://www.theregister.com/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/
TPRM report: https://www.rankiteo.com/company/hmmofficial
"id": "hmm702092025",
"linkid": "hmmofficial",
"type": "Cyber Attack",
"date": "4/2010",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': ['maritime', 'shipbuilding', 'logistics'],
'location': 'South Korea',
'name': 'Hyundai Merchant Marine',
'type': 'company'}],
'attack_vector': ['spear-phishing', 'exploitation of known vulnerabilities'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'high (espionage-targeted, internal '
'network access)',
'type_of_data_compromised': ['documents',
'email credentials',
'network access passwords']},
'description': 'Hyundai Merchant Marine was targeted by North Korean '
"attackers (APT group 'Icefog' or 'Fucobha') in a prolonged "
'cyber-espionage campaign from April 2010 to 2013. The attack '
'relied on spear-phishing and exploits for known '
"vulnerabilities to deploy the 'Icefog' backdoor. The "
"campaign, named 'Kimsuky,' focused on data theft, including "
'documents, email credentials, and network access passwords. '
'Victims remained infected for months or years, with '
'continuous data exfiltration. The operation targeted supply '
'chains, government institutions, military contractors, '
'maritime/shipbuilding groups, telecom/satellite operators, '
'industrial/high-tech companies, and mass media.',
'impact': {'data_compromised': ['documents',
'email account credentials',
'network access passwords']},
'initial_access_broker': {'backdoors_established': ['Icefog/Fucobha backdoor'],
'entry_point': ['spear-phishing',
'exploited vulnerabilities'],
'high_value_targets': ['government institutions',
'military contractors',
'maritime/shipbuilding '
'groups',
'telecom operators',
'satellite operators',
'industrial/high-tech '
'companies',
'mass media'],
'reconnaissance_period': 'prolonged (months to '
'years)'},
'motivation': 'data theft (documents, email credentials, network access '
'passwords) for espionage purposes',
'post_incident_analysis': {'root_causes': ['spear-phishing success',
'unpatched vulnerabilities',
'persistent backdoor '
'(Icefog/Fucobha)']},
'threat_actor': ['Icefog', 'Fucobha', 'Kimsuky (North Korean APT group)'],
'title': 'Hyundai Merchant Marine Cyber-Espionage Campaign (Kimsuky) via '
'Fucobha/Icefog Backdoor (2010–2013)',
'type': ['cyber-espionage',
'APT (Advanced Persistent Threat)',
'supply chain attack']}