Wave of Cyberattacks in South Korea Sparks National Security Alarm

A Surge of Hacks Targeting Government and Industry

South Korea is grappling with a wave of cyberattacks in 2025, hitting both private companies and core government systems. In the first half of the year, a massive breach at SK Telecom exposed data of nearly 27 million users . More recently, incidents at KT (a major telecom) and Lotte Card (a financial firm) have come to light, alongside alarming evidence that even government ministries’ networks were infiltrated . This rash of attacks has prompted experts to warn that the nation faces a serious cybersecurity crisis. “Is it okay for just anyone to peek into the Onnara system? Government hacking should be taken seriously,” cautioned Shin Dong-hwi, a former white-hat hacker and security executive, referring to the government’s internal document system .

A cybersecurity expert discusses the recent hacking incidents during a video interview . A series of breaches at major corporations and government agencies has raised concerns about South Korea’s cyber defenses.

Shin’s warning comes amid what he describes as a “war against hacking” being waged on all fronts . In an interview about the recent breaches, Shin – now an adjunct professor at Sogang University – noted that the findings from a leaked hacker report showed multiple government agencies had been compromised, calling the situation potentially a “national crisis” . His view echoes other experts; for example, Professor Kim Seung-joo of Korea University has publicly stated that the government likely suffered a serious hack and urged treating the situation as a “state of national emergency” requiring an urgent security review of all government IT systems . Even officials who urge caution do not dispute the severity – they acknowledge signs of intrusion are real, even if the full scale of data theft is still being verified .

Intrusion into Government Systems (Onnara, GPKI, and More)

One of the most disturbing revelations is evidence that attackers breached South Korea’s government networks, including the Onnara system – a cloud-based platform used for inter-ministerial document writing, sharing, and approvals across all ministries . According to an analysis of leaked data first reported by the hacker e-zine Phrack, the hackers successfully obtained login access to Onnara via accounts at the Unification Ministry and the Oceans and Fisheries Ministry . Onnara contains a trove of official documents and communications, and it’s suspected that the attackers may have already exfiltrated numerous government documents from the system .

In addition, the intruders accessed other sensitive government assets. For example, internal records and source code related to the Government Public Key Infrastructure (GPKI) – which underpins the digital certificates used by public officials – were found in the hacker’s haul  . Analysts identified “documents, source code, and certificate files” from the GPKI, along with 2,800 log verification records tied to government digital signatures  . Source code for a webmail system used by the Ministry of Foreign Affairs (MOFA) was also discovered among the leaked files . In short, the attackers appear to have penetrated key government IT systems, obtaining not only documents but also the “source code and log records associated with [government] system logins”  – effectively blueprinting the government’s network and authentication mechanisms.

Shin Dong-hwi stressed that these findings leave little doubt that government systems were indeed compromised. “The fact that [the hackers’ PC] contained a GPKI certificate of ours makes no sense – if they have something that belongs to us, it means we were hacked,” he said bluntly . Perhaps most troubling, he noted, is that authorities still cannot fully grasp how much information has been siphoned out, likening the situation to “driving with your eyes closed” . This uncertainty about the scope of data loss – whether limited or massive – underscores the critical danger of the breach. Even in a less alarmist view, experts agree immediate defensive measures are required; they call for comprehensive, independent forensics to trace the intrusion paths and verify what happened, cautioning against either underestimation or exaggeration of the impact .

How did the attackers manage to burrow into such supposedly secure government networks? Evidence points to an advanced, stealthy operation likely involving spear-phishing and custom malware. The cache of leaked hacker files contained phishing logs and tools indicating targeted attacks on government entities . In fact, the attackers appear to have set up fake websites impersonating official government portals to steal login credentials. Investigations found that rogue domains – for instance, “nid-security[.]com” and “webcloud-notice[.]com” – were crafted to mimic Korean government or service sites, tricking victims into entering their IDs and passwords . Some phishing pages closely spoofed high-profile government addresses like the Ministry of Defense’s mail portal (dcc.mil.kr), the Supreme Prosecutors’ Office (spo.go.kr), and the Foreign Affairs Ministry (mofa.go.kr) .

Fake domain names used in the phishing campaign were designed to impersonate official South Korean sites, such as spo.go.kr (prosecutors’ office) or dcc.mil.kr (military intranet), by using lookalike URLs like “webcloud-notice.com” . This tactic tricked government employees into entering their credentials on sites that appeared legitimate. The attackers also used burner email accounts and TLS proxy techniques to capture login data in real time as victims interacted with the spoofed pages .

Once inside the network, the attackers deployed custom backdoors and tools. The Phrack report (titled “APT Down: The North Korea Files”) describes several malicious programs uncovered on the hacker’s machine – including malware for maintaining remote access (backdoors) and even modules explicitly referencing “Onnara” (suggesting the hacker built tools to pivot within the government’s internal Onnara system) . For example, a compiled version of Onnara-related code and plugins for proxying into the government network were present in the hacker’s files . This implies the attackers had not only stolen data but potentially maintained ongoing access into government systems, a hallmark of an advanced persistent threat.

Expert Warnings: “National Crisis” and Urgent Action Needed

Cybersecurity experts are unequivocal that these government breaches are extremely serious. “There was nothing in that Phrack report about government hacks that wasn’t serious,” Shin observed, fully agreeing with colleagues labeling it a “national crisis situation.”  He and others argue that the government must treat this as a wake-up call: the integrity of national systems is at stake. Professor Kim Seung-joo urged that the authorities recognize a state of crisis and immediately conduct a sweeping security audit of all government computer systems . The fear is that hostile actors (whether cybercriminal groups or state-sponsored hackers) might have gained long-term footholds in critical networks, putting sensitive data – and potentially national security – at risk.

At the same time, specialists caution against jumping to conclusions without thorough investigation. Professor Lee Won-tae notes that the Phrack leak shows strong “signs of intrusion” but is not final proof of a complete, large-scale exfiltration . In other words, we know someone got in, but we don’t yet know exactly what they did or how far they went. Lee advocates for prompt but measured actions: fix any security gaps immediately, but also verify the provenance of the leaked data and conduct independent digital forensics to accurately attribute the attack and assess damage . Overestimating could cause undue panic, while underestimating could leave us vulnerable – hence a balanced, evidence-driven approach is needed.

Breaches at Major Companies: “These Could Have Been Prevented”

Not only government agencies, but private sector giants in Korea have also fallen victim to avoidable cyber incidents in recent months. Shin Dong-hwi emphasizes that the high-profile hacks at KT and Lotte Card in 2025 were “accidents that could have been stopped” with better security practices . The KT case is particularly troubling because it exposed weaknesses in the very system that telcos use for authenticating users. In that incident, attackers managed to connect an unauthorized micro-cell base station (a femtocell) to KT’s mobile network, and then used it to intercept or bypass user authentication processes . Essentially, the rogue femtocell acted like a trusted part of the network, allowing the hackers to hijack the verification of customers and make fraudulent “small payment” transactions.

According to police reports, the perpetrators – later arrested in Gyeonggi Province – were able to make unauthorized micro-payments (like gift card purchases and transit card top-ups) by hacking KT users’ phones via an unregistered femtocell connected to the carrier’s network . In fact, the device they used wasn’t even an official KT femtocell; it was a custom assembly of network components with a fake device ID that KT’s systems failed to detect or block . “There’s no excuse for that lapse,” Shin criticized, likening it to “leaving the door wide open” in terms of network access control . If it had simply been a case of an insider’s device not being deactivated (e.g. a former employee’s femtocell still allowed to connect), that would be bad enough. But the reality seems worse: KT’s authentication procedures were so lax that an entirely unknown device could join the network and impersonate a legitimate cell tower . This indicates a fundamental oversight in security design.

The fallout from the KT breach has been significant. Dozens of customers reported unexplained small charges, and KT had to apologize publicly for failing to manage its femtocell infrastructure properly . Investigations revealed that multiple illegal femtocell devices had been operating to facilitate these payment hacks . Lawmakers even grilled KT’s CEO in a National Assembly hearing, as the incident undermined trust in the country’s phone-based identity verification system, which is widely used for online payments and account logins . Shin points out that the real issue isn’t the monetary loss (which was relatively contained, around ₩240 million or $170,000 in fraud ), but the breach of the telco’s ID verification process itself . Telecom companies in Korea serve as central hubs for user authentication (through SMS confirmations, etc.), so if their systems are repeatedly compromised, it raises the specter of more damaging follow-on abuses. For example, one concern was the possibility of attackers cloning mobile phones or SIM cards using stolen credentials. However, Shin noted that telecom providers have safeguards – if they detect duplicate IMSI, IMEI or SIM identifiers, they would react quickly – so large-scale phone cloning is unlikely at present . Nonetheless, the fact that core telecom infrastructure was penetrated remains deeply worrisome for future “second-order” attacks.

In the Lotte Card breach, the cause was a glaring oversight in basic cybersecurity hygiene: failure to patch a known vulnerability for 8 years. Lotte Card’s systems were hacked in August 2025 via an Oracle WebLogic Server flaw (CVE-2017-10271) that dates back to 2017 . This particular vulnerability is infamous – a critical remote code execution bug that had been publicly disclosed and patched years prior, with exploit code readily available online  . In fact, security researchers note that CVE-2017-10271 has been widely exploited in the wild precisely because so many servers remain unpatched despite the fix being long available  . In Lotte Card’s case, leaving this hole unaddressed for nearly a decade is difficult to fathom. Attackers took advantage of it to install malware (a web shell) on the card company’s online payment server, attempting to exfiltrate some 1.7 GB of data . Although the breach was eventually detected and stopped, it shouldn’t have been possible in the first place. “It’s really hard to understand how it was left untouched for 8 years,” said Shin, adding that the vulnerability was so well-known that “even the attack code for it was fully public” . The incident has drawn sharp criticism and even the company’s CEO admitted the lapse stemmed from not updating old systems . It serves as a stark reminder that outdated software and delay in applying patches remain a major weak link in cybersecurity.

South Korea as a Target: High Tech Adoption vs. Security Gaps

South Korea’s hyper-connected digital society – with near-100% smartphone and internet usage – has unfortunately become an attractive target for hackers worldwide. Some commentators have cynically dubbed Korea a “testbed” for cyberattacks, suggesting that attackers probe its defenses because of perceived weaknesses. Shin Dong-hwi refutes the notion that Korea’s overall security is that feeble; “Korea’s security level isn’t so weak as to be a testbed,” he said, cautioning against excessive fear . The country has many capable security professionals and advanced systems. However, there are factors that do make South Korea especially enticing to attackers. For one, the sheer ubiquity of digital services in everyday life – banking, shopping, public services, all integrated with IT platforms – means there is a vast attack surface and a wealth of interconnected targets . If an attacker finds one gap, it can potentially open access to a broad ecosystem of services.

Additionally, South Korea has unique systems for personal identification and authentication. In recent years, telecom and financial companies each rolled out their own proprietary identity verification apps (as alternatives to the old resident ID certificate system). This proliferation of “self-developed” ID systems by different companies may have introduced unforeseen vulnerabilities . Shin noted that some of these new authentication schemes implemented by telecom and banking firms had security loopholes, which likely piqued the interest of hackers looking for novel ways to bypass protections . The KT incident is a case in point – it exposed a crack in the telecom-based authentication process. Thus, while South Korea’s integration of technology into daily life is highly advanced, it also means attackers have more opportunities to find weak points, whether in government e-document platforms, telecom networks, or payment systems.

Despite the sobering breaches, Shin advises against panic or fatalism. He does not believe South Korea is doomed to be a perpetual cyber victim, and he cautions against stoking “excessive anxiety”. The focus, he suggests, should be on identifying and fixing the security gaps that made these attacks possible, rather than on broad generalizations.

Underinvestment in Security: A Long-Standing Problem

A recurring theme in these incidents is that many were preventable with proper security measures and vigilance. So why were those measures lacking? According to Shin and many in the cybersecurity field, the root cause often boils down to a hard truth: organizations chronically underinvest in security because it’s seen as a cost center, not a profit driver . In Shin’s words, it’s difficult to blame the frontline security engineers alone when “the fundamental cause is companies being stingy with security spending since it doesn’t make money.” 

Even when companies pursue security certifications or compliance programs, the effort can be superficial. Shin gives the example of ISMS-P, one of Korea’s top security certification standards. Many firms treat the certification process as a paperwork exercise – “documents for the sake of documents,” as he describes it – focusing on ticking boxes to pass the audit rather than truly improving their security posture . They might create polished security policy documents, yet not actually fix all the known vulnerabilities on their servers, because doing so is time-consuming and costly . Tellingly, SK Telecom, KT, and Lotte Card all possessed ISMS-P certifications, and yet all fell victim to major breaches . This suggests that formal compliance alone did not ensure real security – either the standards weren’t stringent enough, or the implementations were ineffective in practice.

Indeed, an official investigation into the SK Telecom breach found the company had left critical systems dangerously exposed. Regulators noted that SKT’s internal servers had no passwords set and were running outdated, unpatched operating systems, making it trivially easy for outsiders to access the intranet . The Personal Information Protection Commission fined SKT ₩134 billion (≈$97 million) for negligence and slow breach disclosure, calling the company’s systems “very weak” and ordering an overhaul of its security governance  . This case vividly illustrates the consequences of lax security practices at even the largest enterprises.

Shin’s experience as a security consultant and executive resonates with this pattern. He recounts that after every big hacking incident, companies temporarily ramp up their attention and investment in security – only to lose interest and revert to old habits once the headlines fade . It’s a frustrating cycle: breach occurs → management demands improvements → some money is spent on security tools or audits → no immediate incident happens, so security slips down the priority list again. “Why do we keep getting hacked over and over?” Shin asked rhetorically. “Because after the incident passes, companies go back to not maintaining consistent security efforts. We have to break out of the cycle of one-off reactions.” 

The hope among experts is that this time will be different – that the confluence of major incidents in 2025 will serve as a true turning point. With both government infrastructure and big-name corporations hit hard, perhaps there is now enough public and regulatory pressure to sustain long-term improvements in cybersecurity. Shin emphasizes that continuous investment and vigilance are needed, not just “flashlight” attention during crises. The cost of complacency has been made painfully clear. As he ominously warns, if things simply go back to business as usual, it’s only a matter of time before the next, perhaps even more damaging, breach occurs. The lesson is clear: security must become a constant priority, not a temporary scramble.

The Phrack Leak: North Korean APT or Something Else?

A key source of the revelations about the government hacks was an unusual leak published in Phrack Magazine, an old-school hacking journal. Titled “APT Down: The North Korea Files,” the report detailed data purportedly taken from a North Korean cyber espionage operative’s computer . According to Phrack’s account, two anonymous ethical hackers (going by pseudonyms “Saber” and “cyb0rg”) managed to breach the workstation of a hacker believed to belong to the North Korean group Kimsuky (a.k.a. APT43) . They did so in mid-2025, even presenting some of the findings at the DEF CON hacker conference in August . The data dump from the Kimsuky operator – nicknamed “Kim’s dump” – was subsequently shared via the DDoSecrets whistleblower platform and then analyzed in the Phrack article . This leak-of-a-hacker’s-logs provided a rare inside look at an APT’s operations, including the toolkit and stolen data that “Kim” had on his systems.

However, attribution of the attacks has become a point of debate. While the initial assumption was that the breaches were done by Kimsuky (given the target was a Kimsuky member’s machine), further analysis by Korean experts suggests a different story. A team at Korea University’s Cybersecurity Center found signs that the hacker behind “APT Down” might not be North Korean at all, but rather Chinese . Security firm S2W, which did a detailed review of the leaked data, came to a similar conclusion: they codenamed the actor “UNSI-018” and assessed that “KIM” is unlikely to be directly associated with Kimsuky . There were some overlaps with known Kimsuky tactics (for instance, both used phishing emails with tracking beacons, and both targeted Korean government credentials like GPKI certificates)  . But critical differences stood out. Notably, the operational environment in the dump pointed to extensive use of Chinese language resources. S2W found that the hacker used Chinese search engines (Baidu), frequented Chinese tech forums, and wrote comments or notes in Chinese . He even used Chinese cloud storage (Baidu Cloud), which requires a Chinese ID to register . These clues strongly indicate a Chinese-speaking actor. Moreover, some of the phishing infrastructure and malware techniques did not match what Kimsuky is known to use, suggesting this could be a distinct group leveraging Kimsuky’s name or tactics as a cover .

In summary, while the moniker of the Phrack report references “The North Korea Files,” the true origin of the hacker might lie elsewhere. It’s possible that a Chinese-linked group infiltrated Korean networks, and their data was mistaken for (or intentionally misattributed to) North Korea’s Kimsuky. This twist is a reminder of the complexities in cyber-espionage attribution – hackers often obscure their identities, and investigators must sift through deceptive evidence. Regardless of who the perpetrator is, what remains incontrovertible is that someone gained deep access to South Korea’s sensitive systems – and that is the crux of the crisis at hand.

Conclusion

The recent cascade of cyber incidents in South Korea – from telecom carriers and financial companies to core government platforms – has exposed serious shortcomings in the nation’s cybersecurity readiness. On one level, these are cautionary tales of known vulnerabilities left unpatched, weak authentication safeguards, and complacent security governance. Each breach carried lessons that, if heeded, could strengthen defenses: patch legacy systems diligently, enforce strict controls on network access, and continuously monitor for intrusions. On another level, the fact that state agencies were hacked and potentially surveilled by foreign actors elevates the issue to a matter of national security.

The consensus among experts is clear: South Korea must recognize that it is under constant cyber assault and respond with sustained, proactive investment in security. The idea of a “national crisis” is not hyperbole when government secrets and critical infrastructure are at stake. This means not only emergency fixes in the aftermath of attacks, but a cultural shift where cybersecurity is treated as an integral part of operations in both public and private sectors. Companies need to move beyond checkbox compliance and truly harden their systems. Government networks must be audited and fortified with the latest protections, and any backdoors found must be closed. The cost of security should be seen as an essential insurance, not a dispensable expense.

South Korea has long been at the forefront of technological adoption; now it must strive to lead in security as well. The attacks of 2025 have been a painful wake-up call. Whether this wake-up call leads to meaningful change – or whether the nation hits the snooze button and slips back into old patterns – may determine how the next chapter of “hacking wars” unfolds. For the sake of its citizens’ data and the country’s security, one hopes that this time will indeed be different, and that robust cybersecurity becomes the new normal before the next threat emerges.

Sources:
• Kyunghyang Shinmun (2025). Interview with Shin Dong-hwi on recent hacking incidents     .
• S2W TALON Report (2025). Detailed Analysis of “APT Down: The North Korea Files”    .
• Reuters (2025). SK Telecom fined for data leak; security failings noted  .
• The Korea Times (Yonhap, 2025). KT micropayment hack involved illegal femtocell .
• Criminal IP OSINT Report (2025). Lotte Card breach via 2017 WebLogic RCE  .
• DomainTools DTI (2025). Inside the Kimsuky Leak – phishing infrastructure  .