thediplomat.com
By Raphael Rashid
October 07, 2025

White hat hackers exposed a systematic breach of South Korea’s digital backbone, but Seoul remains silent on the crisis.

“It was by accident,” Saber told The Diplomat when asked how the white hat hacker and their partner cyb0rg discovered what appears to be one of the most comprehensive known penetrations of the South Korean government’s digital infrastructure in recent memory.

The two independent security researchers, only identified by their pseudonyms, claim to have compromised a workstation they attributed to Kimsuky, North Korea’s state-sponsored cyber espionage group. They published their findings in August through the hacker magazine Phrack at the annual DEF CON hacker conference in Las Vegas.

Their 8.9GB data dump triggered intense debate about who was really behind the systematic breach of South Korea’s most sensitive systems, and how it could ever have happened.

What the Hackers Found

The leaked data shows deep, sustained access to South Korea’s government backbone. At the center is the Onnara system, the government’s operational platform that handles document, inter-ministry communications, and knowledge management across central and local agencies.

Technical evidence shows the operator maintained active access to Onnara with custom automation tools and session management capabilities. The dump also revealed compromised email credentials for multiple accounts at the Defense Counterintelligence Command, with phishing attacks continuing until just days before publication.

The breach extended across multiple government institutions. The data includes complete source code from the Ministry of Foreign Affairs’ email platform, alongside evidence of targeting the Supreme Prosecutor’s Office and compromising the Ministry of Unification through brute-force attacks against the ministry’s domain. The dump also contains thousands of GPKI digital certificates – the cryptographic keys securing official communications – along with cracked passwords that protected them.

Telecommunications were also hit. The dump shows access to LG Uplus and credential collections indicating penetration of KT’s infrastructure. These firms are two of South Korea’s three major telecom operators.

Overall, the operator maintained extensive phishing campaigns, malware, and vast credential databases spanning multiple sectors.

The Attribution Puzzle

Based on technical analysis, there is broad consensus that the operations were conducted from China. Browser histories show the operator repeatedly used Google Translate to convert Korean text into simplified Chinese and followed work schedules matching Chinese holidays. Researchers from Korea University’s Graduate School of Information Security found Chinese-language documentation across the operator’s systems, notes written in Chinese characters, and browsing patterns focused on Chinese security websites. Spur, which specializes in proxy infrastructure analysis, traced much of the activity to WgetCloud, a Chinese proxy service predominantly used by China-based users.

Michael “Barni” Barnhart from DTEX, who has extensively tracked North Korean operations, told The Diplomat that “the infrastructure and malware used in these operations do not align with known APT43 tradecraft,” referring to the industry designation for North Korea’s Kimsuky. “The technical signatures, deployment methods, and operational patterns diverge significantly from previously observed APT43 campaigns,” he added. His assessment pointed to linguistic elements in malware communications suggesting “a lower-tier PRC-aligned actor.”

S2W, a South Korean cybersecurity firm, assessed that the actor was “unlikely to be directly associated with the North Korea-linked threat group Kimsuky,” citing inconsistent operational patterns and different toolsets from known Kimsuky operations.

But experts remain sharply divided on who was actually controlling these China-based operations. Some believe Chinese actors were working independently for Chinese intelligence interests. Others point to potential China-North Korea collaboration, given the documented precedent of North Korean operations from Chinese territory. Proponents of this view include Saber, who told The Diplomat that they believe the hacked hacker “is a Chinese national working from China and for both Chinese and North Korean government interests.”

A third theory suggests North Korea outsourced operations to Chinese contractors. The workstation involved was configured for the Korean time zone and its targets aligned with Kimsuky’s traditional focus on South Korean government institutions, potentially suggesting North Korean direction despite Chinese execution.

Barnhart noted that APT43 “is not assessed to be in a position of intelligence scarcity that would necessitate outsourcing to non-DPRK entities,” though such arrangements might “more plausibly align with Russian interests.”

The fourth possibility involves sophisticated Chinese false flag operations designed to implicate North Korea while pursuing separate intelligence objectives.

Seoul’s Fragmented Response

South Korea’s response has focused on damage control rather than accountability, likely reflecting both the scale and sensitivity of the hack, especially given the China connection.

Presidential spokesperson Kang Yu-jung claimed “no accurate information” when questioned about the breaches, deflecting to the Ministry of National Defense (MND). The MND has yet to comment publicly on the incident. When The Diplomat approached the Korea Internet & Security Agency, the agency deflected to the Ministry of Science and ICT (MSIT).

When approached directly, MSIT issued a brief statement: “MSIT is responsible for cyber threat response in the private information and communications sector, so we ask for your understanding that it is difficult to answer your questions.”

The Ministry of Unification acknowledged the incident, stating it had been “aware of security vulnerabilities in advance through cooperation with related agencies and completed measures.” The ministry confirmed implementing “security education for all staff” and strengthening “operational system security measures” following the breach.

Professor Kim Seung-joo from Korea University has been a vocal critic of the government, highlighting the absence of a cybersecurity “control tower.” At a recent parliamentary hearing into the KT and LG Uplus breaches – which mirrored a separate breach of SK Telecom, the country’s largest telecoms company – Kim said, “Our country’s government needs to think about how our intelligence capabilities are not even as good as two foreign hackers.”

When asked whether the breach constituted a national security crisis beyond mere data theft, he replied, “Yes, I see it that way.”

Seoul’s muted response could reflect diplomatic sensitivities around potential Chinese involvement. President Lee Jae-myung’s “pragmatic” diplomacy has sought improved relations with Beijing, with bilateral summit talks under consideration when President Xi Jinping visits for the upcoming APEC leaders’ meeting at the end of October. Direct attribution to China could complicate these efforts.

Beyond the diplomatic angle, confirmation of the link to China could potentially inflame anti-China sentiment and conspiracy theories, which have manifested in recent far-right rallies. The government is keen to diffuse these narratives.

A Systematic Campaign

The government’s lack of response becomes more concerning when viewed alongside evidence of widespread penetration across South Korea’s critical infrastructure.

According to data obtained by lawmakers, there were over 9,000 cyber intrusion attempts against military networks in the first half of 2025 alone, up 36 percent from 2023.

The Ministry of Health and Welfare and its agencies also faced over half a million hacking attempts by August 2025, up 151 percent from 2022. The ministry has seen a staggering 4,813 percent increase in targeting compared to 2022.

Yet despite planned increases in overall cybersecurity spending for 2026, critics argue that the government’s record 35.3 trillion won R&D budget plan lacks dedicated cybersecurity categories, with security funding either embedded within other sectors or missing entirely.

The fragility of critical government infrastructure was demonstrated in September when a battery fire at the National Information Resources Service in Daejeon shut down 647 government systems – nearly one-third of all national information systems. The National Intelligence Service raised the cyber threat level as a result, citing fears hackers could exploit potential security gaps during recovery work ahead of the APEC leaders meeting.

These vulnerabilities may represent only the visible portion of a far more serious compromise. Evidence in the Phrack data dump seen by The Diplomat suggests the penetration likely extended to highly sensitive materials related to North Korea and intelligence gathering operations. Given that the obtained data pertains to only one workstation, the discovery potentially reveals a much wider breach, raising further questions about attribution, potential false flag operations, and the purpose of gaining such information.

When specifically questioned about access to such materials, the Ministry of Unification provided vague responses, stating it was “currently investigating with related agencies” without elaborating which ones or the scope of the potential compromise.

As investigations continue, the question of attribution remains complex, but the scale of compromise across both public and private sectors is becoming clear, representing a strategic failure with implications for national security and public confidence in critical infrastructure.

“Hopefully researchers will take a closer look at the dumps and better understand how these APTs harass citizens,” Saber said. “The world would be a better place without them.”

Korea JoongAng Daily
Wednesday
October 1, 2025
BY JEONG JAE-HONG [yoon.soyeon@joongang.co.kr],D

A fire at the National Information Resources Service (NIRS)'s Daejeon headquarters destroyed the government’s G-Drive cloud storage system, erasing work files saved individually by some 750,000 civil servants, the Ministry of the Interior and Safety said Wednesday.

The fire broke out in the server room on the fifth floor of the center, damaging 96 information systems designated as critical to central government operations, including the G-Drive platform. The G-Drive has been in use since 2018, requiring government officials to store all work documents in the cloud instead of on personal computers. It provided around 30 gigabytes of storage per person.

However, due to the system’s large-capacity, low-performance storage structure, no external backups were maintained — meaning all data has been permanently lost.

The scale of damage varies by agency. The Ministry of Personnel Management, which had mandated that all documents be stored exclusively on G-Drive, was hit hardest. The Office for Government Policy Coordination, which used the platform less extensively, suffered comparatively less damage.

The Personnel Ministry stated that all departments are expected to experience work disruptions. It is currently working to recover alternative data using any files saved locally on personal computers within the past month, along with emails, official documents and printed records.

The Interior Ministry noted that official documents created through formal reporting or approval processes were also stored in the government’s Onnara system and may be recoverable once that system is restored.

“Final reports and official records submitted to the government are also stored in OnNara, so this is not a total loss,” said a director of public services at the Interior Ministry.

The Interior Ministry explained that while most systems at the Daejeon data center are backed up daily to separate equipment within the same center and to a physically remote backup facility, the G-Drive’s structure did not allow for external backups. This vulnerability ultimately left it unprotected.

Criticism continues to build regarding the government's data management protocols.

koreaherald.com - Seoul Guarantee Insurance, South Korea's largest provider of guarantee insurance, has been crippled by a ransomware attack, with its core systems offline for a third straight day.

The incident began early Monday, when SGI reported an “abnormal symptom” in its database system. By Tuesday afternoon, a joint investigation by the Financial Supervisory Service and the Financial Security Institute confirmed it was caused by a ransomware breach.

As a pivotal player in Korea’s guarantee insurance industry, SGI’s disruption is generating widespread confusion and inconvenience. The insurer provides guarantees for both individuals and corporations, with a guarantee balance of 478 trillion won ($344.4 billion) as of end-2024.

The impact is particularly severe in the housing market, where many rely on guarantee insurance for the “jeonse” rental system, where renters pay a large, refundable deposit in exchange for no monthly rent. SGI is one of the leading providers in this space, offering the highest cap on jeonse loan guarantees at 500 million won, compared to 200 million to 400 million won from other institutions.

While some services have been restored through cooperation with financial institutions, SGI’s main data system remains inoperative as of Wednesday morning. In urgent cases, the company has resorted to issuing handwritten guarantee certificates to minimize disruption.

Starting Wednesday, the insurer is operating an emergency center to collect reports of consumer damage and support recovery. “We vow full compensation and are planning responsible follow-up measures,” said SGI President and CEO Lee Myung-soon.

This is the first full-system disruption at a Korean financial institution caused by a ransomware attack and a second such case involving a Korean company this year. In June, major online bookstore Yes24 experienced a five-day outage and an estimated 10 billion won in lost sales due to a similar breach.

SK Telecom, South Korea’s largest telecom company, disclosed a data leak involving a malware infection.

SK Telecom is South Korea’s largest wireless carrier — it has tens of millions of subscribers and holds roughly half of the local market.

The company revealed on Tuesday in a Korean-language statement posted on its website that it detected an intrusion on April 19. An investigation showed that the attackers deployed malware and managed to obtain personal information belonging to customers.

Following the incident, SK Telecom is offering customers a free SIM protection service designed to prevent SIM swapping, which suggests that the leaked data could be leveraged for such activities.

Korean telecom company KT Corporation sent malware to its subscribers who use Webhard's Grid Service peer-to-peer sharing program to hide their files and stop them from using the service.

A North Korean hacking group had stolen a massive amount of personal information from a South Korean court computer network, probe results showed on Saturday.

A total of 1,014 gigabytes worth of data and documents were leaked from Seoul's court computer network between January 2021 and February 2023 by the hacking group, presumed to be Lazarus, according to the joint probe by the police, the prosecution and the National Intelligence Service.

The signees, which already included about a dozen other nations, agree to establish “robust guardrails and procedures" around spyware, while preventing the export of technology that will be used for malicious cyber activity.