North Korea stole F-15 blueprints and 42,000 defense-related documents from South Korea

140,000 computers at defense contractor firms and government agencies said to have been targeted.

Ali taherian
Ali Taherian

North Korea stole F-15 blueprints and 42,000 defense-related documents from South Korea

South Korea appears to have been hacked once again by its northern rival, and thousands of defense-related documents have been stolen.

According to claims by South Korea’s police cyber investigation unit, the attack from North Korea began to target 140,000 computers at defense contractor firms and government agencies back in 2014, but was only unearthed in February this year.

South Korean police say they believe that North Korea was either planning a major internet attack, or running a long term campaign to steal as much information as possible:

Sign up to our free newsletter.
Security news, advice, and tips.

“There is a high possibility that the North aimed to cause confusion on a national scale by launching a simultaneous attack after securing many targets of cyber terror, or intended to continuously steal industrial and military secrets.”

According to a Reuters report, corporate victims of the hacking attack have included companies in the SK Holdings group and Korean Air Lines, although they say that they closed the breaches quickly and any leaked files were not classified.

95% of the stolen material seized by the hackers is said to be defense-related, and most recently, documents stolen have included blueprints for the wings of F-15 fighter jets.

Even though North Korea has always denied any involvement in past hacking atttacks, investigators claim that the campaign originated from the North Korean capital of Pyongyang. Interestingly, the traced IP address originating the hacking is said to be identical to the so-called “Dark Seoul” cyber-attack against South Korean banks and broadcasters in 2013.


Network management software widely used by government agencies and private companies have been targeted in this latest attack.

Although accurately attributing internet attacks is notoriously difficult, North Korea has often been blamed for launching internet attacks – including the assault that froze parts of South Korea’s banking infrastructure in 2013, the infamous attack against Sony Pictures in 2014, and the recent attack against the Bangladesh central bank.

Sony attack

Although North Korea’s internet attack capability may be considerable, and no country would be wise to treat it less than seriously, we should also be careful not to believe too quickly some of the hyperbole that has previously seen claims that North Korean hackers could kill and “destroy cities”.

Ali Taherian is an information security specialist with a great passion for FinTech innovations. He has finished his education in information security and has been working in banking and payment software industry. Taherian is proud to be a certified IBM Cloud Computing Solution Advisor and ECSA and enjoys writing and tweeting about security advances and news. Find out more on his website at

4 comments on “North Korea stole F-15 blueprints and 42,000 defense-related documents from South Korea”

  1. Murray Parkinson

    I'll bet China is somewhere behind this. At least China & Russie will be th most likely to purchase the info stolen. Not much North Korea could do with info on fighter jets, other than sell it.

  2. John Lewis

    State sponsored APT attacks against defence contractors and their supply chains have been going on for years and many have been successful. Once your systems have been breached it is almost impossible (very expensive) to assure that they are clean and not open to a lurking threat.

  3. MeMyselfandI

    I have but one question, Why would S. Korea have these documents on a computer that is connected to the internet? The best way to stop a hacker is to not have a computer with classified information on it connected to the internet.

    1. Richard · in reply to MeMyselfandI

      The host that the data was on is very unlikely to have been 'connected' to the Internet. However, is it likely that the target host was on a connected network or at least 'reachable' from another host that was available to attack from the Internet. Once the attacker was on the inside, it's fairly trivial for them to move laterally through the network looking for loot of interest. Remember also, that the attack could easily also have started with a socially engineered attack like a well-crafted Phishing mail. Malicious links could then have allowed malware to propagate through the network opening up backdoors to the attackers. Furthermore, there are many other vectors like compromised mobile devices or compromised insiders that could have enabled the breach too…

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.