Cyber Incident Victim: Woorimal Academic Society
Date:
Jan 2023
Location:
South Korea
Summary
A Chinese-language hacktivist group known as Xiaoqiying, Genesis Day, or Teng Snake targeted multiple South Korean academic and research institutions, including the Woorimal Academic Society, through data exfiltration and website defacement attacks. The group, motivated by patriotism toward China, exploited internet-facing devices using penetration-testing tools and proof-of-concept exploits, stealing 54 gigabytes of data and posting defacement messages claiming an "invasion" of Korean internet infrastructure. They leaked stolen data on cybercrime forums like BreachForums and Ramp Forum, while also recruiting members via Telegram channels later shut down. The actors expanded operations to target entities in Japan and Taiwan, with unverified claims of compromising organizations including National Taiwan University. No financial motives or direct government ties were identified, aligning with their ideological focus.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around January 25, 2023, a Chinese-language threat group known as Xiaoqiying, Genesis Day, or Teng Snake initiated cyberattacks against twelve South Korean research and academic institutions, including the Woorimal Academic Society, the Korean Research Institute for Construction Policy, the Korean Archaeological Society, and the Korean Academy of Basic Medicine & Health Science. The attacks involved data exfiltration and website defacements. Researchers from Recorded Future’s Insikt Group attributed the activity to this ideologically motivated hacktivist group, which operated primarily through two Telegram channels for recruitment, coordination, and public announcements. The group exploited internet-facing devices using popular penetration-testing tools and proof-of-concept exploit code. They claimed to have stolen 54 gigabytes of data from multiple organizations, though many assertions—including compromises of entities like the FBI, Samsung, and South Korea’s Ministry of Health and Defense—remained unverified. The actors posted stolen data on cybercriminal forums such as BreachForums and Ramp Forum, though they were later banned from the latter for allegedly hiding malware in download links. Website defacements involved replacing content with generic error pages or messages declaring the “Korean Internet” had been “invaded.”
The group’s Telegram channels, which had over 700 subscribers, were shut down in February 2023 following media coverage of the South Korean attacks. Insikt Group researchers obtained leaked data, malware source code, U.S. government-related files, and credit card information from these channels before their closure. Despite the shutdown, affiliated actors continued operations via a clearnet website created on January 5, 2023, which was traced to a Cloudflare IP address linked to APT36, a Pakistan-based threat group. In April 2023, a hacker using the alias “uetus” claimed to have compromised National Taiwan University and leaked 25 GB of data, though the depth of access was unclear. The group’s activities extended beyond South Korea to include Japan and Taiwan, with researchers noting its patriotic motivations toward China and lack of financial objectives. No direct ties to the Chinese government were identified, but the targeting aligned with historical Chinese cyber operations against South Korean entities for geopolitical and criminal purposes. The FBI-led takedown of BreachForums in March 2023 disrupted some of the group’s data-leaking efforts.