Hyundai Merchant Marine (HMM) was targeted in a prolonged cyber-espionage campaign from **April 2010 to 2013** by North Korean attackers using the **Icefog (Fucobha) backdoor**. The attack, part of the **Kimsuky APT group**, relied on **spear-phishing and exploits of known vulnerabilities** to infiltrate the company’s systems. The attackers maintained persistent access for **months to years**, continuously exfiltrating sensitive data, including **documents, email credentials, and network access passwords**. The campaign focused on **data theft**, compromising the **supply chain** and targeting entities like **government institutions, military contractors, maritime/shipbuilding groups, telecom operators, satellite operators, and high-tech firms**. HMM, a key player in global shipping, faced **long-term intelligence extraction**, risking **operational secrets, proprietary maritime data, and potential disruptions to logistics networks**. The attack’s stealthy nature allowed sustained espionage, posing **strategic risks to corporate and national security** while undermining trust in critical infrastructure.
Source: https://www.theregister.com/2013/09/26/icefog_hit_and_run_apt_japan_south_korea/
TPRM report: https://www.rankiteo.com/company/hmmofficial
"id": "hmm702092025",
"linkid": "hmmofficial",
"type": "Cyber Attack",
"date": "4/2010",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': ['maritime', 'shipbuilding', 'logistics'],
'location': 'South Korea',
'name': 'Hyundai Merchant Marine',
'type': 'company'}],
'attack_vector': ['spear-phishing', 'exploitation of known vulnerabilities'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'high (espionage-targeted, internal '
'network access)',
'type_of_data_compromised': ['documents',
'email credentials',
'network access passwords']},
'description': 'Hyundai Merchant Marine was targeted by North Korean '
"attackers (APT group 'Icefog' or 'Fucobha') in a prolonged "
'cyber-espionage campaign from April 2010 to 2013. The attack '
'relied on spear-phishing and exploits for known '
"vulnerabilities to deploy the 'Icefog' backdoor. The "
"campaign, named 'Kimsuky,' focused on data theft, including "
'documents, email credentials, and network access passwords. '
'Victims remained infected for months or years, with '
'continuous data exfiltration. The operation targeted supply '
'chains, government institutions, military contractors, '
'maritime/shipbuilding groups, telecom/satellite operators, '
'industrial/high-tech companies, and mass media.',
'impact': {'data_compromised': ['documents',
'email account credentials',
'network access passwords']},
'initial_access_broker': {'backdoors_established': ['Icefog/Fucobha backdoor'],
'entry_point': ['spear-phishing',
'exploited vulnerabilities'],
'high_value_targets': ['government institutions',
'military contractors',
'maritime/shipbuilding '
'groups',
'telecom operators',
'satellite operators',
'industrial/high-tech '
'companies',
'mass media'],
'reconnaissance_period': 'prolonged (months to '
'years)'},
'motivation': 'data theft (documents, email credentials, network access '
'passwords) for espionage purposes',
'post_incident_analysis': {'root_causes': ['spear-phishing success',
'unpatched vulnerabilities',
'persistent backdoor '
'(Icefog/Fucobha)']},
'threat_actor': ['Icefog', 'Fucobha', 'Kimsuky (North Korean APT group)'],
'title': 'Hyundai Merchant Marine Cyber-Espionage Campaign (Kimsuky) via '
'Fucobha/Icefog Backdoor (2010–2013)',
'type': ['cyber-espionage',
'APT (Advanced Persistent Threat)',
'supply chain attack']}